We've recently received complaints about scripts not working properly on the latest Chrome browser when a script is installed on one website, but its front end is used on another website e.g. so-called CROSS domain usage.

 

Here are some cases we have noticed. For example:

 - Time Slots Calendar - the time slots are unresponsive and cannot be selected

 - Bookings scripts that have "search by dates" display them as 1/1/1970 on the next step after the initial search

 - Catering System - an amount has been added to the cart but when the cart is selected it says that it is empty

 - Appointment Scheduler, Service Booking scripts - the slots cannot be selected etc.

 

Unfortunately, this is related to Google Chrome update made some time ago that affects how the cookies are handled and more specifically the SameSite cookie. This was not an issue with previous versions of the browser, but recently Google decided to enforce this security policy. What it does is to require website owners to explicitly set the state for SameSite cookie, otherwise, it defaults to "Lax" status. The way this affects our script (and cookies in general) is that if a request is not executed from the same domain, the browser doesn't allow the cookie to be created. Our scripts do not use browser cookies, but there is the session cookie which is very important and uniquely identifies the user requests on the website. If it is not saved and passed by the browser, a new session cookie is created automatically. When the browser does this all the script's data is lost because the session cookie is not the same anymore. The browser request is identified as made from another user and what was saved in its session on the server is no longer available (as the session ID is different now). This is why the scripts don't seem to react to any selection, slot click, chosen date, product added to cart etc. everything seems like it was not set or selected.

 

This is why the session cookie is so important and must be set. It is our connection between the script and the user details and without it, the scripts do not work. Since SameSite cookie blocks the session cookie (if it is not explicitly set) this must be corrected. We have done this in all our scripts, but all customers who have purchased and downloaded scripts before and are using them in cross-domain will experience this issue with Chrome browser. This issue is simple to solve and bellow we will explain in details how you can fix this yourself. 

 

IMPORTANT:  This update has already been included in scripts based on our latest framework

 

As we said if the SameSite cookie is not set it defaults to status "Lax" which prevents third-party cookies (those from other domains) to be saved and passed in the user requests. With this status, cookies are only set when the domain in the URL of the browser matches the domain of the cookie - a first-party cookie. What we have to do is set this cookie status to "None" which allows third-party cookies to track users across the website. Note though that cookies marked as "SameSite=None" should also be marked as "Secure". This is required by the browser and this also means that this cookie will only be created and sent through requests made over HTTPS.

  

The solution

 

IMPORTANT: This change affects only the scripts using javascript code for front-end integration that are added to remote websites. If you use the script on the same domain or if you use one of the scripts with PHP include integration code this update is not needed. 

 

If your script is in the category for update your need to set the SameSite cookie flag to "None" and "Secure".

 

How to do this?

 

1) Open this file:

app/controllers/pjFront.controller.php

 

2) Find the function called:  protected static function allowCORS()

 

3) This line has to be added to the list of headers:

header('Set-Cookie: '.session_name().'='.session_id().'; SameSite=None; Secure');

 

i.e. if the list is this one:

 

header('P3P: CP="ALL DSP COR CUR ADM TAI OUR IND COM NAV INT"');

header("Access-Control-Allow-Origin: $origin");

header("Access-Control-Allow-Credentials: true");

header("Access-Control-Allow-Methods: POST, GET, OPTIONS");

header("Access-Control-Allow-Headers: Origin, X-Requested-With");

 

there will be one more line like this:

 

header('P3P: CP="ALL DSP COR CUR ADM TAI OUR IND COM NAV INT"');

header("Access-Control-Allow-Origin: $origin");

header("Access-Control-Allow-Credentials: true");

header("Access-Control-Allow-Methods: POST, GET, OPTIONS");

header("Access-Control-Allow-Headers: Origin, X-Requested-With");

header('Set-Cookie: '.session_name().'='.session_id().'; SameSite=None; Secure');

 

IMPORTANT: The script must be installed under HTTPS, a website with valid SSL!

 

If the script is not installed under HTTPS but there is SSL on the domain then:

1. Open this file app/config/config.inc.php

2. Change the install URL to start with https instead of http and save.

3. Replace the integration code on all pages on which it is used.

 

You can clear the browser cache and make tests to verify that your script now works in Chrome also!

 

Here are some links with details about SameSite cookie and its possible statuses and the Chrome update regarding this:

https://www.chromium.org/updates/same-site

https://www.chromestatus.com/feature/5088147346030592