SameSite Cookie Considerations for Marketing Cloud

How can I determine if my Marketing Cloud account is affected by the SameSite cookie change?

Customers can determine if their Marketing Cloud instance is affected by testing the Chrome browser using the following steps (Please note that running these tests prior to February 7, 2020 might result in an indication of a problem within Marketing Cloud):
 

1. Open your Chrome browser (Chrome version 76 or later).

2. Type the following in the address bar: chrome://flags/

3. Enable the following flag: SameSite by default cookies.

4. Click on the Relaunch button on the right-hand side bottom corner.

5. Open the Chrome browser developer console to identify any errors associated with the SameSite cookie change.

   • To open the developer console window on Chrome, use the keyboard shortcut Ctrl Shift J (on Windows) or Ctrl Option J (on Mac). Alternatively, you can use the Chrome menu in the browser window, select the option More Tools, and then select Developer Tools.

6. Open the cloud/application you want to test in the browser and check if it's working as expected.

   • An example of an application not working as expected could be Journey Builder not rendering in the browser or Cloud Pages/Landing Pages/Microsites returning blank pages.

   • Look for warnings that mention “A cookie associated with a cross-site resource at [obfuscated here but should be in plain text in your console] was set without the SameSite attribute..."

     A cookie associated with a cross-site resource at ////////////////// was set without (index):1 the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

      

7. Remember to disable the flag and relaunch the browser after you have completed testing, since many websites across the internet will currently break with this functionality.

What if my organization uses a version of Chrome prior to version 76?

Chrome versions prior to version 76 don't provide the option for SameSite, and you'll be unaffected by the SameSite cookie change with Marketing Cloud. Additionally, you won't be able to test according to the test criteria above.
 

Is there anything I should check within my organization?

While Salesforce has addressed the Chrome SameSite cookie change with Marketing Cloud functionality, you should evaluate your own websites to ensure they aren't impacted by this change.
 

Consideration for Pages

While not enabled in the product by default, users can set cookies on web pages hosted/created within CloudPages and Classic Content. Pages are known under various names including: Microsites, Landing Pages, Mobile Push Pages, Interactive Content Pages.

Cookies are set using Salesforce Marketing Cloud Server Side JavaScript HTTPHeader.SetValue. Users will also want to verify their pages are served over HTTPS.
 

What changes do I need to make if my Marketing Cloud account is affected by the SameSite cookie change?

If you determine that your account is affected by the SameSite cookie change, you need to investigate your implementation code to ensure cookies are being utilized appropriately.