|
| 1 | +--- |
| 2 | +layout: blog_post |
| 3 | +title: "The End of Third-Party Cookies" |
| 4 | +author: edunham |
| 5 | +by: advocate |
| 6 | +communities: [devops,security,mobile,.net,java,javascript,go,php,python,ruby] |
| 7 | +description: "Google Chrome is deprecating all third-party cookies in 2024. How will this affect your Okta application, remember me features, and Okta Sign-In Widget?" |
| 8 | +tags: [third-party-cookies, okta-sign-in-widget] |
| 9 | +tweets: |
| 10 | +- "" |
| 11 | +- "" |
| 12 | +- "" |
| 13 | +image: blog/3pc/social.jpg |
| 14 | +type: awareness |
| 15 | +--- |
| 16 | + |
| 17 | +## What are third-party cookies? |
| 18 | + |
| 19 | +Cookies are as old as the internet. Historically, cookies were among the only options for personalizing a user's online experience and carrying their preferences from page to page. First-party cookies are issued by the web site where they're used, and third-party cookies come from other domains. |
| 20 | + |
| 21 | +Third-party cookies allow user behavior to be tracked across different sites. These cookies are now widely abused to collect and share users' data. For the legitimate use cases which used to depend on third-party cookies, like federated logins and multi-brand identity providers, more secure options are actively being developed. |
| 22 | + |
| 23 | +Today, the drawbacks to users' security and privacy from third-party cookie implementations outweigh their benefits so much that all major browsers are phasing them out. Safari has blocked third-party cookies for years, and Firefox retricts third-party cookies associated with trackers. Chrome is now [phasing out third-party cookies](https://developers.google.com/privacy-sandbox/3pcd) in 2024. |
| 24 | + |
| 25 | +If a user has a cookie from okta.com in their browser, that cookie will count as first-party when accessed by the okta.com website, and it will count as third-party when accessed from a website on any other domain. |
| 26 | + |
| 27 | +When a user logs into their Okta account in a web browser, a [session cookie](https://developer.okta.com/docs/guides/session-cookie/main/#about-okta-session-cookies) stores state information about their login session. These cookies are usually first-party, but in some situations they can be third-party. If your application uses cookies from domains other than the ones they were issued for, you'll need to make some changes to keep the identity experience working as intended. |
| 28 | + |
| 29 | + |
| 30 | +## Does your Okta application use third-party cookies? |
| 31 | + |
| 32 | +Most of Okta's core auth flows do not rely on third-party cookies. When third-party cookies are used, they normally augment the basic login experience or add convenience features. The following sections outline all the design patterns in which Okta uses third-party cookies. If your application is in one of these categories, please test its behavior with third-party cookie deprecation. |
| 33 | + |
| 34 | +Okta uses cookies to let applications introspect and extend user sessions. Cookies aren't required for basic login functionality. |
| 35 | + |
| 36 | +### Third-party cookie deprecation affects web applications that rely on the Okta session for user context |
| 37 | + |
| 38 | +If an application hosted on your domain (`mycompanyapp.com`) redirects to your Okta subdomain (`mycompany.okta.com`) for login and then returns users to your own domain, third-party cookie restrictions will limit how your app can introspect or extend the Okta session. |
| 39 | + |
| 40 | +### Third-party cookie deprecation affects customer-hosted Okta Sign-In Widget and customer-built login applications |
| 41 | + |
| 42 | +If you're hosting your own sign-in experience on a separate top level domain from your main app, you may be using third-party cookies. You might be hosting your own sign-in experience by cloning the Okta Sign-In Widget from GitHub or installing it from NPM to embed in your application, or you might have built your own custom sign-in using Okta's APIs. |
| 43 | + |
| 44 | +If your sign-in experience is hosted on the same top-level domain as your application, third-party cookie deprecation won't affect its behavior. |
| 45 | + |
| 46 | +If the sign-in experience and app are on different top-level domains, third-party cookie deprecation will break its ability to introspect and extend sessions, because these features use cookies. Authentication will still be possible, and tokens will still be returned, because these features do not rely on cookies. |
| 47 | + |
| 48 | +If you're using a custom domain like `login.mycompany.com` in your sign-in widget configuration, cookies will be written to the domain which received the request. If your Sign-In Widget configuration sets `login.mycompany.com` as the `baseUrl` or `issuer`, cookies will be issued for `mycompany.com` when a user logs in, so those cookies are first-party to all `mycompany.com` web pages. |
| 49 | + |
| 50 | +If you have a self-hosted Sign-In Widget with `mycompany.okta.com` configured as the `baseUrl` or `issuer` in its settings, cookies will be issued for `okta.com` and will be first-party to `okta.com` but third-party to `mycompany.com`. |
| 51 | + |
| 52 | +### Third-party cookie deprecation affects "remember me" features |
| 53 | + |
| 54 | +"Remember Last Used Factor" (RLUF), for automatically selecting the user's preferred factor, uses third-party cookies. The "keep me signed in" feature of Okta Identity Engine and "Remember me" feature of Okta Classic rely on third-party cookies when the login application is on a different domain from the main app. |
| 55 | + |
| 56 | +## When will this affect you? |
| 57 | + |
| 58 | +Google has made an exemption for Okta's third-party cookies until the end of 2024. However, you can set Chrome's flags to simulate how the browser will treat Okta's third-party cookies after that exemption ends. |
| 59 | + |
| 60 | +### Test your application today! |
| 61 | + |
| 62 | +To simulate how Chrome will treat Okta's third-party cookies in 2025 and beyond, follow [the Okta help center's testing guide](https://support.okta.com/help/s/article/deprecation-of-3rd-party-cookies-in-google-chrome?language=en_US). |
| 63 | + |
| 64 | +## What's next? |
| 65 | + |
| 66 | +Here on the Okta Developer Blog, we'll keep you updated about how to mitigate each type of third-party cookie impact. |
| 67 | + |
| 68 | +* Learn more about [how blocking third-party cookies affects Okta environments](https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment?language=en_US). |
| 69 | +* See the [Okta session cookies guide](https://developer.okta.com/docs/guides/session-cookie/main/) for more on how cookies are used. |
| 70 | +* [Use Chrome's feature flags](https://support.okta.com/help/s/article/deprecation-of-3rd-party-cookies-in-google-chrome?language=en_US) to test your login experience with third-party cookies disabled. |
0 commit comments