|
| 1 | +--- |
| 2 | +layout: blog_post |
| 3 | +title: "The End of Third-Party Cookies" |
| 4 | +author: edunham |
| 5 | +by: advocate |
| 6 | +communities: [devops,security,mobile,.net,java,javascript,go,php,python,ruby] |
| 7 | +description: "" |
| 8 | +tags: [] |
| 9 | +tweets: |
| 10 | +- "" |
| 11 | +- "" |
| 12 | +- "" |
| 13 | +image: blog/3pc/social.jpg |
| 14 | +type: awareness |
| 15 | +--- |
| 16 | + |
| 17 | +## What are third-party cookies? |
| 18 | + |
| 19 | +Cookies are as old as the internet. Historically, cookies were among the only options for personalizing a user's online experience and carrying their preferences from page to page. First-party cookies are issued by the web site where they're used, and third-party cookies come from other domains. |
| 20 | + |
| 21 | +third-party cookies allow user behavior to be tracked across different sites which they visit. These cookies are now creatively misused by advertisers and trackers to exploit personal information. For the legitimate tasks which used to require third-party cookies, like social integration and caching, there are now better and more privacy-respecting technologies available. |
| 22 | + |
| 23 | +Today, the drawbacks to users' security and privacy from third-party cookie implementations outweigh their benefits so much that all major browsers are phasing them out. Firefox, Edge, and Safari have been blocking third-party cookies for years, and Chrome is now phasing them out in 2024. |
| 24 | + |
| 25 | +If your code uses Okta features that rely on third-party cookies, this means that you'll need to make some changes to keep the identity experience working as intended. |
| 26 | + |
| 27 | + |
| 28 | +## Does your application use third-party cookies? |
| 29 | + |
| 30 | +Most code using Okta doesn't use third-party cookies, and won't be affected by the deprecation. Here are the design patterns in which Okta uses third-party cookies. If your application is in one of these categories, please test its behavior with third-party cookie deprecation. |
| 31 | + |
| 32 | +Okta uses cookies to let applications introspect and extend user sessions. Cookies aren't required for basic login functionality. |
| 33 | + |
| 34 | +### Web applications that rely on the Okta session for user context. |
| 35 | + |
| 36 | +If an application hosted on your domain (`mycompanyapp.com`) redirects to your Okta subdomain (`mycompany.okta.com`) for login and then returns users to your own domain, third-party cookie restrictions will limit how your app can introspect or extend the Okta session. |
| 37 | + |
| 38 | + |
| 39 | +### Customer-hosted Okta Sign-In Widget and customer-built login applications |
| 40 | + |
| 41 | +If you're hosting your own sign-in experience on a separate top level domain from your main app, you may be using third-party cookies. You might be hosting your own sign-in experience by cloning the Okta Sign-In Widget from GitHub or installing it from NPM to embed in your application, or you might have built your own custom sign-in using Okta's APIs. |
| 42 | + |
| 43 | +If your sign-in experience is hosted on the same top-level domain as your application, third-party cookie deprecation won't affect its behavior. |
| 44 | + |
| 45 | +If the sign-in experience and app are on different top-level domains, third-party cookie deprecation will break its ability to introspect and extend sessions, because these features use cookies. Authentication will still be possible, and tokens will still be returned, becasue these features do not rely on cookies. |
| 46 | + |
| 47 | +### "Remember me" Features |
| 48 | + |
| 49 | +"Remember Last Used Factor" (RLUF), "Keep me signed in" (OIE) and "Remember me" (Classic) will not function when the login application is on a third-party domain. |
| 50 | + |
| 51 | +## When will this affect you? |
| 52 | + |
| 53 | +Google has made an exemption for Okta's third-party cookies until the end of 2024. However, you can set Chrome's flags to simulate how the browser will treat Okta's third-party cookies after that exemption ends. |
| 54 | + |
| 55 | +### Test your application today! |
| 56 | + |
| 57 | +To simulate how Chrome will treat Okta's third-party cookies in 2025 and beyond, follow [Okta's help center guide](https://support.okta.com/help/s/article/deprecation-of-3rd-party-cookies-in-google-chrome?language=en_US). |
| 58 | + |
| 59 | +## What's next? |
| 60 | + |
| 61 | +Here on the Okta Developer Blog, we'll keep you up to date about how to mitigate each type of third-party cookie impact. |
| 62 | + |
| 63 | +* Learn more about [how blocking third-party cookies affects Okta environments](https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment?language=en_US) |
| 64 | +* See the [session cookies guide](https://developer.okta.com/docs/guides/session-cookie/main/) for more on how cookies are used |
| 65 | +* [Use Chrome's feature flags](https://support.okta.com/help/s/article/deprecation-of-3rd-party-cookies-in-google-chrome?language=en_US) to test your login experience with third-party cookies disabled. |
0 commit comments