How do I resolve same-site none for cookie given by Google Adwords Tracking?

[bensontrent]

My client's website is getting these SameSite cookie warnings in Chrome. The cookies are due to Google Ad Conversion Tracking on a Wordpress Site. The site is on a Apache/2.4.7 (Ubuntu) hosted by DreamHost running PHP 7.1, always running on https. To my .htaccess file, I've tried adding:

Header always edit Set-Cookie (.*) "$1; SameSite=Lax"
and I tried

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
...and I tried

Header always edit Set-Cookie (.*) "$1; SameSite=None;Secure"
as well as many other combinations.

I've tried your code for PHP 7.2 and below as shown on this website:

header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure');

Could we get some clarity on where this code should go? And perhaps a real working example? Does it go in an .htacesss file or in php.ini, or where in the php code should it be called? Also, it's not clear what should be used for the "name" in your example code, or if I even need to change that value, as the dev tools show over 10 cookie names associated with the google address.

Here's the warning I'm getting in the Chrome Console:

(index):1 A cookie associated with a resource at http://google.com/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

[rowan-m]

The cookies triggering the warning are coming from google.com so you will not be able to alter them. The Ads team is aware of these issues and is working to get their cookies fixed before the Feb 2020 stable date. It also means that none of the header directives you're specifying will affect the google.com cookie, it will only cover cookies set for your site.

If you have any cookie warnings that specifically list a domain you control, then you will need to add the correct attributes.

That said - I'll leave this open because I should get some Apache examples in to show transforming cookies.

[bensontrent]

I did a lot of reading on the SameSite warnings and somehow the basics had eluded me. The clarity you've given will help me authoritatively explain the warnings to my client. Thank you so much for this answer!

[waruyama]

Why is the name of the Cookie not included in the message? A cookie associated with a cross-site... is very obscure. Why not write The cookie "auth0_compat" associated with a cross-site.... Currently I get the SameSite warning and I just cannot find the cookie that it refers to (yes, I read the debugging about SameSite changes).

[chriskallen]

Now that Chrome 80 is being rolled out is there any update as to when Google are going to fix the adwords tracking?

[peiche]

Based on the Chromium SameSite updates page, I believe the SameSite behavior won't be rolled out until Feb 17.

[MRZMUH001]

Is there anyone we can contact to get an update re Google Adwords team rolling out the changes on their side?

[gpxjordan]

My OpenCart 2.3 also seems to have the same problem with SameSite, But based on your discussion, I still don't know how to solve this problem.

Can anyone tell me what to do?

My payment gateway and Facebook Message module, There are related warning messages and they do not work correctly:

When I remove Facebook messages, the screen displayed by Google Chrome:

Can you tell me how to fix it in steps and steps?

Thank you!

[rowan-m]

Google's cookies should generally be fixed now. You will still see warnings as:

• some cookies that are only for 1P usage may not have been updated, so they will be restricted without impacting functionality
• some cookies that are for 3P usage may not include the SameSite attribute for compatibility reasons with old browsers
• your browser may still have cookies that have not been updated

To reduce noise, I suggest testing in an incognito session ensuring that you only visit the site under test to reduce the amount of extra cookies in the browser.

However, be aware that you may still see warnings for blocked cookies that are not affecting the behaviour of the site.

In the example screenshot above the error is related to a Content-Security Policy directive. In this case, I would investigate how the Facebook functionality you are using is being embedded in the page.

[alexpov]

using google analytics in a chrome extension

    static setup() {
        (function(i, s, o, g, r, a, m) {
            i['GoogleAnalyticsObject'] = r;
            (i[r] =
                i[r] ||
                function() {
                    (i[r].q = i[r].q || []).push(arguments);
                }),
                (i[r].l = 1 * new Date());
            (a = s.createElement(o)), (m = s.getElementsByTagName(o)[0]);
            a.async = 1;
            a.src = g;
            m.parentNode.insertBefore(a, m);
        })(
            window,
            document,
            'script',
            'https://www.google-analytics.com/analytics.js',
            'ga'
        ); // Note: https protocol here

        ga('create', google_analitycs_token, 'auto'); // Enter your GA identifier
        ga('set', 'checkProtocolTask', function() {}); // Removes failing protocol check. @see: http://stackoverflow.com/a/22152353/1958200
    }

Chrome version:
Google Chrome is up to date
Version 80.0.3987.162 (Official Build) (64-bit)

When loading the extension getting "ERROR" mark:

which is this warning:

A cookie associated with a cross-site resource at http://google.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

The warning itself is not an issue, however, getting an ERROR flag due to this, is an issue. This cookie setting should have been fixed with version 80? Still, work in progress?

[gpxjordan]

Thanks for your reply!

In fact, I have very limited information, I can only provide how to reproduce the environment that may cause this.

Can you use the test account I provided to test the checkout process?

My test steps:
Enter in the URL column of Chrome: chrome://flags/ and search "SameSite"

Enable the following experiments:
SameSite by default cookies
Cookies without SameSite must be secure

Product link to test the checkout process:
https://www.tylee.tw/?route=product/product&product_id=10008

Email address: test@tylee.tw
Password: ZtU1YoRnQzwfp5ojNoVK

Please select the same payment and shipping method:

Please select the same payment method: ATM(僅限台灣地區使用)

Please select any store and click [確認]

Please select any bank name and click [取得繳費帳號]:

Please click this button: [返回商店]

Can you test if all the checkout processes have been fixed for me?

This is My Facebook message code information, I also temporarily restored this code:

Copy/Paste this code into the or tag of your website (same as your Google Analytics code).

<script async src="//static.zotabox.com/8/2/82bb83cfadf95ad1f9045a684ad591f1/widgets.js"></script>

Step 1: Refresh website browser after embedding code.
Step 2: Turn on tool and refresh browser again (Ctrl+F5).

Dear Sir, Can you help me test?

Thank you!

[shawnnaquin]

Has there been any movement on this issue. I'm managing GTMs for an advertising firm that is seeing this same issue across dozens of websites.

Using Google Tag Assistant we see An error occured while the tag was fired: net::ERR_ABORTED.

In the Chrome inspector we get: "A cookie associated with a cross-site resource at http://google.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032."

We've been in touch with support at Google Ads, they cannot help. Our tags are valid html.

Another tell is that using "#google-wcc-force" no longer works as a debug tool. IF you click "force" you can see the tag rewrite the phone numbers.

here is one such webpage you can see the issue:
https://www.cosselawfirm.com/

Thanks,
Shawn

[Praveenbobby]

i am facing an error in chrome (After logging in to the page by providing username and password its allowing but when we sign out of the page and refresh the login page its not asking the credentials, its logging to the page directly with out asking the credentials) can some please help on this hoe to overcome this situation i tried the below scenarios but its not working.

1 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP

2 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure"

3 Trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP
Header onsuccess edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP

1 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=SAMESITE_SKIP

2 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure"

3 Trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=SAMESITE_SKIP
Header onsuccess edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=SAMESITE_SKIP

[Praveenbobby]

My client's website is getting these SameSite cookie warnings in Chrome. The cookies are due to Google Ad Conversion Tracking on a Wordpress Site. The site is on a Apache/2.4.7 (Ubuntu) hosted by DreamHost running PHP 7.1, always running on https. To my .htaccess file, I've tried adding:

Header always edit Set-Cookie (.*) "$1; SameSite=Lax"
and I tried

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
...and I tried

Header always edit Set-Cookie (.*) "$1; SameSite=None;Secure"
as well as many other combinations.

I've tried your code for PHP 7.2 and below as shown on this website:

header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure');

Could we get some clarity on where this code should go? And perhaps a real working example? Does it go in an .htacesss file or in php.ini, or where in the php code should it be called? Also, it's not clear what should be used for the "name" in your example code, or if I even need to change that value, as the dev tools show over 10 cookie names associated with the google address.

Here's the warning I'm getting in the Chrome Console:

(index):1 A cookie associated with a resource at http://google.com/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

this Site is hosted on IBMHTTPserver and the below changes are done on httpd.conf file. the issue is we logged in to client page when we sign out from from that page it's getting signed out from that page. but when refresh the page the credentials are taken automatically, credentials have to asked. but in IE its working fine. could you please help me on this

1 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP

2 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure"

3 Trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP
Header onsuccess edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=!SAMESITE_SKIP

1 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=SAMESITE_SKIP

2 trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure"

3 Trail:

1. Add SameSite=None and Secure if no SameSite already.

Header always edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=SAMESITE_SKIP
Header onsuccess edit Set-Cookie "^(?!.(\s+|;)(?i)SameSite=)(.)" "$0; SameSite=None; Secure" env=SAMESITE_SKIP

Trail 1:

2. Remove duplicate SECURE flag (this keeps the above regex simpler)

Header always edit Set-Cookie "(.(\s+|;)(?i)Secure(\s+|;).) Secure$" "$1" env=!SAMESITE_SKIP

Trail 2:

2. Remove duplicate SECURE flag (this keeps the above regex simpler)

Header always edit Set-Cookie "(.(\s+|;)(?i)Secure(\s+|;).) Secure$" "$1" env=!SAMESITE_SKIP
Header onsuccess edit Set-Cookie "(.(\s+|;)(?i)Secure(\s+|;).) Secure$" "$1" env=!SAMESITE_SKIP