Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Setting Google Tag Manager cookies with SameSite and Secure attributes

Chrome is reporting the following warning:

A cookie associated with a cross-site resource at https://www.googletagmanager.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I have two warnings of this type. The three cookies I see are gtm_auth, gtm_preview, and gtm_debug. All session cookies. I see gtm_auth is set with Secure attribute (SameSite attribute is empty). The other two cookies do not have either attribute set.

They are classified as analytical cookies, not marketing cookies, by the way.

Using Google Tag Manager, how do I set or modify these cookies? I'm not looking to update the cookies in my code. I imagine adding cookie attributes should be doable using Google Tag Manager. What is Google's stance on how to address this with Google Analytics and Google Tag Manager?

like image 296
user3621633 Avatar asked Oct 11 '19 15:10

user3621633


People also ask

How do you set a cookie with SameSite attribute?

To prepare, Android allows native apps to set cookies directly through the CookieManager API. You must declare first party cookies as SameSite=Lax or SameSite=Strict , as appropriate. You must declare third party cookies as SameSite=None; Secure .

How do you specify SameSite none and secure?

To test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the "SameSite by default cookies" and "Cookies without SameSite must be secure" experiments.

How do I add cookies to Google Tag Manager?

Universal Analytics tags in Tag Manager can replace the name of the cookie with cookieName via a Google Analytics settings variable. In Tag Manager, open a Google Analytics settings variable and select Variable Configuration > More Settings > Fields to Set. When the Fields to Set section is expanded, click Add Row.

How do I set the SameSite cookie in Chrome?

Enable the new SameSite behavior If you are running Chrome 91 or newer, you can skip to step 3.) Go to chrome://flags and enable (or set to "Default") both #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Restart Chrome for the changes to take effect, if you made any changes.


2 Answers

For any of these warnings, if you are not responsible for the domain then you are not responsible for updating the cookies. The Google Tag Manager team will be responsible for updating the relevant code that sets the SameSite attributes for cookies from googletagmanager.com.

At this point, the warnings are purely informational and are not impacting functionality. Enforcing this behaviour in stable Chrome is not scheduled until M80, currently targeted for Feb 2020.

like image 193
rowan_m Avatar answered Sep 19 '22 08:09

rowan_m


Chrome is already rolling out this change. You can set cookie flag in analytics.js or gtag.js for this to work, for example:

gtag('config', 'G-N2A3FMNDT5', {
  cookie_flags: 'max-age=7200;secure;samesite=none'
});

For more information and background, see this blog post: The New cookieFlags Setting In Google Analytics

like image 42
chhantyal Avatar answered Sep 18 '22 08:09

chhantyal