E-PIA: Chrome Blocks Cookie Without SameSite Attribute
(Doc ID 2653011.1)
Last updated on FEBRUARY 28, 2022
Applies to:PeopleSoft Enterprise PT PeopleTools - Version 8.57 and later
PeopleSoft Enterprise SCM eProcurement - Version 9.2 to 9.2 [Release 9]
Information in this document applies to any platform.
In Chrome 80, the users get directed to the signin page of the third party vendor, or the following error appears when attempting to return the cart in eProcurement PunchOuts. The issue also occurs for Campus Solutions Credit Card processing, and Financials eBill Payment.
"A cookie associated with a cross-site resource at was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and."
"The application was unable to route the session back to the login page"
"First operand of . is NULL, so cannot access member CopyFieldsTo. (180,236) SSF_MAP_FLUID.COMPONENTS.SSF_SS_3RDPARTY_FL.OnExecute"
The issue can be reproduced at will with the following for the eProcurement application:
- Log into the PeopleSoft application
- Navigate to the eProcurement page and try to connect with the third party vendor.
- The user is able to shop at the vendor site, and when they try to return the cart back to PeopleSoft, they see the blank page
The issue can be reproduced at will with the following for the Campus Solutions application:
- Student login to Student Center
- On the Financial Account page click the Make a Payment button
- On Step 4 3rd party page populate the credit card billing information, credit card number, expiration date and click pay to be transferred to the credit card servicers site.
- Note the error pop up on from SSF_MAP_FLUID.COMPONENTS.SSF_SS_3RDPARTY_FL
This is caused by SameSite attribute of HTTP cookies.
What is SameSite?
SameSite is a property that can be set in HTTP cookies to prevent Cross Site Request Forgery(CSRF) attacks in web applications:
When SameSite is set to Lax, the cookie is sent in requests within the same site and in GET requests from other sites. It isn't sent in GET requests that are cross-domain. A value of Strict ensures that the cookie is sent in requests only within the same site. By default, the SameSite value is NOT set in browsers and that's why there are no restrictions on cookies being sent in requests. An application would need to opt-in to the CSRF protection by setting Lax or Strict per their requirements.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document