XF 1.5 Chrome 80 - Cookies

V

valdet

Active member
Hello,
I was reading Troy's article about the influence of stricter cookie policies that are coming with Chrome version 80, and few pieces sound like it may bring problems


Come version 80, any cookie without a SameSite attribute will be treated as "Lax" by Chrome. This is really important to understand because put simply, it'll very likely break a bunch of stuff. In order to demonstrate that, I've set up a little demo site to show how "Lax" and "Strict" SameSite cookies behave alongside the traditional ones with no policy at all
Click to expand...


While we have HTTPS over TLS enabled as well as enforcing if further by HSTS, I wonder what issues could this bring in terms of Wordpress/Xenforo implementations ?

Thoughts ?



https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/
 
Sort by date Sort by votes
Sadly this seems to be the only post I can find on SameSite cookies and the issues this new setting may bring.

I now only run two smaller sites, TiVoCommumity.com and DBSTalk.com, both on 1.5.23, both of which have been around for years and years. (I am the founder of AVSForum.com which we sold in 2011) But anyway, all this is new to me more or less as the cookies were something that just worked without issue. I have not needed to do anything to XenForo for years as it just works!) Now I am reading about how this new cookie setting will change things and hope it will also kill your revenue from ad space. Even my ad provider, PubGalaxy, is warning me to be sure the sites are setup right with the new rules. Here is one message I received...

In regards to what changes have to be made, in short, you'd have to make sure both of your sites are secure (https://) and also decide what settings you'd like to apply to the SameSite attribute.

I have pulled out a couple of articles I believe would be helpful to understand the reason behind Google's decision to apply such changes, what they are and what and how publishers need to do in order to be compliant and not be affected negatively by the changes:

What is Chrome's SameSite cookie update?
How cookies work, their functionality of the SameSite attribute and what changes to be made
SameSite cookies explained
How to ensure settings are set correctly

I'd strongly recommend having a look at the links provided above as they shed more light on the matter as well as give you enough insight to decide what the best course of action for the specific site would be.
Click to expand...

I STILL have no idea what I should do with XenForo 1.5.23 and what I need to add in where etc in order to have the sites still work and also, the revenue not be crushed. Heck, they even mention you need to do something to PHP. Huh?

So has anyone written anything on what we need to do for our XenForo forums to not have major issues, or even revenue loss seeing 3rd party cookies are used for ads? (Yes, I know I am on 1.5.23...The answer is not upgrade for doing so is quite the undertaking sad to say.)

Thanks.
 
Upvote 0 Downvote
I don't see much discussions about this upcoming change for Xenforo 2 as well.

I checked by enabling these SameSite cookie settings through Chrome flags, and I didn't see any odd behaviour, but then when it goes live on next Chrome version, it could spiral into all kinds of session problems with users/ad reporting etc...
 
Upvote 0 Downvote
In terms of XenForo itself, the changes shouldn't really be relevant (though they may actually increase security for some scenarios). Out of the box, we don't try to do any sort of cross-domain communication within the browser, so nothing should change there.

I can't really speak regarding things like ads though as any cookies wouldn't be set by XenForo code. The ad providers would potentially need to be updating their code to allow their cookies to be accessed with cross site requests. I would expect big ad providers to have already updated code as necessary. (The quoted message from an ad provider above is really not helpful as it really doesn't give any actionable advice for the types of changes they imply; the only changes I could really forsee are to their cookies so they'd be best placed to give more specific guidance if manual changes are made.)
 
Upvote 0 Downvote
Hi Mike...

Thanks for the reply. How confusing to say the least this all is. Ad providers are saying we need to do something as soon cookies will not work for ads as they used to and thus anyone using 3rd party providers, as we all do that need to make income, will likely see a good decrease in revenue.

So yes, concerned to say the least. For in reading those links, it is just so confusing as to what a community form should do, or add, so you can use 3rd party ads and they won't be rejected by the browsers. Ugh!!! We do run full https, so that's not an issue...but now this "new thing" for cookie security is just more to deal with AGAIN from Google.
 
Upvote 0 Downvote
Thanks...

Sadly like other links, it offered no real help as to where you put such cookies etc in the site code. It also assumes we are all coders and use the Chome tools or even know what and where they are. LOL I have even seen reference that it needed to be in the PHP config. Huh?

I think for ads to work you would need "Set-Cookie: cname=cvalue;SameSite=None; Secure" but where does this go?
 
Upvote 0 Downvote
The good news is Chrome 80 is out and the requirement for "SameSite" Secure is not being enforced by default. This gives you some more time to track down any cross-site issues you may experience. How long this will be I have no idea, my guess is Google is tracking how many cross-site cookies they'll end up blocking by this change and can see basically no site is prepared - including their own.

Update:
The SameSite-by-default and SameSite=None-requires-Secure behaviors will begin rolling out to Chrome 80 Stable for an initial limited population starting the week of February 17, 2020, excluding the US President’s Day holiday on Monday. We will be closely monitoring and evaluating ecosystem impact from this initial limited phase through gradually increasing rollouts.
 
Upvote 0 Downvote
David Bott said:
@bzcomputers Ugh....I think that just made it more confusing. LOL Even they are not sure it seems! :)
Click to expand...

Basically all you can do is make sure your site is running on https://, everything else is pretty much out of your hands.

There will be some external sites distributing cross-site cookies to your site (whether it analytics, ads, etc.) that will not make the needed changes and all of the sudden the data they were expecting to be receiving won't be there and they'll finally make some last minute changes they need to on their end. The changes for them should be pretty simple (just pass cross-site cookies over https). Which means they should be able make to make the fix for compliance pretty fast.

The one thing I find interesting is the biggest offender currently showing for me right now is Google themselves. It appears both Google Analytics cookies and Google Adsense cookies or not in compliance with their own Chrome Browser's cookie requirements.

...definitely not going to loose sleep over something I can't control
 
Upvote 0 Downvote
You must log in or register to reply here.
Top Bottom