MC-41359 commerce patch: missing settings SameSite cookie param
The MC-41359 commerce patch fixes the issue with missing SameSite cookie parameters settings. This patch is available when the Quality Patches Tool (QPT) 1.0.20 is installed. The patch ID is MC-41359. Please note that the issue is scheduled to be fixed in Adobe Commerce 2.4.3.
Affected products and versions
The patch is created for Adobe Commerce version: Adobe Commerce on cloud infrastructure 2.4.2
Compatible with Adobe Commerce versions: Adobe Commerce on-premises and Adobe Commerce on cloud infrastructure 2.3.6-p1, 2.4.2, 2.4.2-p1
magento/quality-patches package to the latest version and check the compatibility on the Quality Patches Tool: Search for patches page. Use the patch ID as a search keyword to locate the patch.Issue
Missing settings of the SameSite cookie parameter.
Steps to reproduce:
Prerequisites:
- Open Chrome and go to chrome://flags/
- Enable SameSite by default cookies and Cookies without SameSite must be secure.
- Open the Chrome inspector.
Scenario 1:
- Enable PayPal.
- Go to the store front.
- Add a product to the cart.
- Go to checkout.
Scenario 2:
If you have New Relic enabled the warning appears on any frontend page.
Actual result:
Warning message in the browser console: A cookie associated with a cross-site resource was set without a SameSite attribute.
Expected result:
“lax” should not be added to the cookie domain; the samesite attribute should be present with default value.
Apply the patch
To apply individual patches, use the following links depending on your deployment method:
- Adobe Commerce or Magento Open Source on-premises: Software Update Guide > Apply Patches in our developer documentation.
- Adobe Commerce on cloud infrastructure: Upgrades and Patches > Apply patches in our developer documentation.
Related reading
To learn more about Quality Patches Tool, refer to:
For info about other patches available in QPT tool, refer to Patches available in QPT tool in our developer documentation.