MC-41359 commerce patch: missing settings SameSite cookie param
The MC-41359 commerce patch fixes the issue with missing SameSite cookie parameters settings. This patch is available when the Quality Patches Tool (QPT) 1.0.20 is installed. The patch ID is MC-41359. Please note that the issue is scheduled to be fixed in Adobe Commerce 2.4.3.
Affected products and versions
The patch is created for Adobe Commerce version: Adobe Commerce on cloud infrastructure 2.4.2
Compatible with Adobe Commerce versions: Adobe Commerce on-premises and Adobe Commerce on cloud infrastructure 2.3.6-p1, 2.4.2, 2.4.2-p1
The patch might become applicable to other versions with new Quality Patches Tool releases. To check if the patch is compatible with your Adobe Commerce version, update the
magento/quality-patches package to the latest version and check the compatibility on the QPT landing page. Use the patch ID as a search keyword to locate the patch.
Missing settings of the SameSite cookie parameter.
Steps to reproduce:
- Open Chrome and go to chrome://flags/
- Enable SameSite by default cookies and Cookies without SameSite must be secure.
- Open the Chrome inspector.
- Enable PayPal.
- Go to the store front.
- Add a product to the cart.
- Go to checkout.
If you have New Relic enabled the warning appears on any frontend page.
Warning message in the browser console: A cookie associated with a cross-site resource was set without a SameSite attribute.
"lax" should not be added to the cookie domain; the samesite attribute should be present with default value.
Apply the patch
To apply individual patches, use the following links depending on your deployment method:
To learn more about Quality Patches Tool, refer to:
For info about other patches available in QPT tool, refer to Patches available in QPT tool in our developer documentation.