MC-41359 commerce patch: missing settings SameSite cookie param

The MC-41359 commerce patch fixes the issue with missing SameSite cookie parameters settings. This patch is available when the Quality Patches Tool (QPT) 1.0.20 is installed. The patch ID is MC-41359. Please note that the issue is scheduled to be fixed in Adobe Commerce 2.4.3.

Affected products and versions

The patch is created for Adobe Commerce version: Adobe Commerce on cloud infrastructure 2.4.2

Compatible with Adobe Commerce versions: Adobe Commerce on-premises and Adobe Commerce on cloud infrastructure 2.3.6-p1, 2.4.2, 2.4.2-p1

The patch might become applicable to other versions with new Quality Patches Tool releases. To check if the patch is compatible with your Adobe Commerce version, update the magento/quality-patches package to the latest version and check the compatibility on the Quality Patches Tool: Search for patches page. Use the patch ID as a search keyword to locate the patch.


Missing settings of the SameSite cookie parameter.

Steps to reproduce:


  • Open Chrome and go to chrome://flags/
  • Enable SameSite by default cookies and Cookies without SameSite must be secure.
  • Open the Chrome inspector.

Scenario 1:

  1. Enable PayPal.
  2. Go to the store front.
  3. Add a product to the cart.
  4. Go to checkout.

Scenario 2:

If you have New Relic enabled the warning appears on any frontend page.

Actual result:

Warning message in the browser console: A cookie associated with a cross-site resource was set without a SameSite attribute.

Expected result:

“lax” should not be added to the cookie domain; the samesite attribute should be present with default value.

Apply the patch

To apply individual patches, use the following links depending on your deployment method:

To learn more about Quality Patches Tool, refer to:

For info about other patches available in QPT tool, refer to Patches available in QPT tool in our developer documentation.