Project

General

Profile

Actions

Bug #90890

closed

Default SameSite cookie setting breaks payments

Added by Aimeos no-lastname-given over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Frontend
Target version:
-
Start date:
2020-03-30
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
samesite cookie redirect
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

The new default setting used by the SameSite cookie implementation (8.7.31, 9.5.14, etc.) for the frontend (SameSite=lax) breaks every TYPO3 site with a shop using an external payment provider (i.e. almost all). Due to this setting, the browser doesn't send the TYPO3 FE cookie any more to the TYPO3 site when the payment gateway redirects the browser to the TYPO3 site again after the payment. Then, there's no session any more and the payment status can't be updated.

Breaking essential functionality must not happen within a minor release and thus, we would highly recommend to use SameSite=none as default value, at least for 8.7.x and 9.5.x


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Feature #90351: Allow TYPO3 to make SameSite cookies configurableClosedBenni Mack2020-02-11

Actions
Actions

Also available in: Atom PDF