SBN

Cookies, Single Sign-On, and You

What’s the problem?

As part of a concerted effort to protect end user privacy and increase browser security, major web browsers have been making changes to their treatment of 3rd party cookies. These changes are designed to cripple ad targeting services that track user behavior online and rely on 3rd party cookies. 

Apple Safari, Mozilla Firefox, MIcrosoft Edge, and Google Chrome have all implemented prevention of 3rd party cookies by default. Other improvements include limiting cross-site cookies to HTTPS connections only.

Beyond protecting users from tracking, the elimination of 3rd party cookies has other security benefits. Google described it this way: “This change also has a significant security benefit for users, protecting cookies from cross-site injection and data disclosure attacks like Spectre and CSRF by default, which work by reading the content of browser memory.”

It’s a good step towards privacy by design, but it can create issues with the way things have been done. These changes can impact some single sign-on (SSO) functions in websites, as these solutions typically use cookies. SSO is a useful capability that keeps your customers signed in when navigating between your sites, so you’ll want to know how you can adjust to the new reality. We’ll give you the details about these cookies and what you can do about it. 

What’s the difference between 1st and 3rd party cookies?

The key difference has to do with where the cookie came from. Cookies that are created using the same domain you are on (i.e., the site in your browser’s address bar) are 1st party cookies.  For example, if I am using any onlinestore.com websites, the 1st party cookies will all show onlinestore.com as the domain.

By comparison, 3rd party cookies have a different domain than the site you are using. If I am still using onlinestore.com, 3rd party cookies you would see there could be something like online-ad-tracker.com. These are commonly used by companies to track a user’s activity across multiple sites. In the era of increased privacy and consent, the ability to track activity at that level is unwanted.

Should I be using any kinds of cookies at all?

First party cookies aren’t bad; they’re a key component in helping provide the personalized experience you are used to as you go from place to place on the same website. Without them, you would have to log in more often or potentially lose what’s in your shopping cart. If you really want to disable 1st party cookies it can be done in the browser’s settings. However, you may find that your browsing experience is much more difficult without 1st party cookies enabled.

What are the implications to my site?

If you use an Identity-as-a-Service (IDaas), such as Akamai Identity Cloud, to help provide SSO capabilities, 3rd party cookies would be used to help facilitate this since the service is a provider not owned by your site. Impacted websites will not be able to automatically log in a user who has already authenticated on another one of your sites and in turn, users will need to initiate log in on each site.

As a result of limiting 3rd party cookie usage, single sign-on solutions that rely on 3rd party cookies are also impacted and are already not working in many browser/OS combinations.  Apple for one has recognized this and indicated (blog post here) the disruption of SSO or federation may have an “unintended impact” and “may alter tracking prevention methods to permit certain use cases” in the future.

Even though this 3rd party cookie isn’t being used to track users, the new browser protections don’t discriminate between “good” capabilities like SSO vs. “less desirable” functions such as ad tracking. If it’s a 3rd party cookie, it gets disabled.

What can I do?

Customers who wish to continue offering an SSO capability for their websites will need to move to a solution that relies on sending a user to a centralized login page for authentication which can then track a session with a 1st party cookie.  

The end user experience can be implemented to work exactly like a social login where the main website stays in the primary window and the user authenticates in a popup window which closes automatically on successful login.

Akamai Identity Cloud offers an OpenID Connect compliant solution that can help you keep up with the improved privacy your users need and want.


*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Akamai. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/vbOsZsuEsLU/cookies-single-sign-on-and-you.html