With the web constantly evolving to improve user experience, security, and privacy, so are the policies! Upcoming changes to the browser cookie policy are expected to be released in early 2020, which will directly impact federated authentication flows and cross-domain hosting scenarios when using browsers. This could potentially affect a user’s ability to connect to their Business Central or Dynamics NAV when using:
- Business Central Outlook Add-on
- Business Central as a SharePoint app
- Business Central using the Azure Active Directory authentication
- Business Central is embedded in an iframe as part of another website.
The main browsers to be affected are Google Chrome, which expected to updated 4th February 2020, and Microsoft Edge which is expected to update at the same time or later than Google Chrome. There are other browsers that may adopt a similar cookie policy, however, nothing yet has been confirmed.
Which Cookie Policies are Changing?
Google Chrome and Microsoft Edge will be changing the implementation of the SameSite attribute according to the following:
- Cookies default to SameSite=Lax
By default, if no SameSite attribute is specified, then cookies are treated as SameSite=Lax.
- Reject insecure SameSite=None cookies
If a cookie that requests SameSite=None is not marked Secure, it will be rejected.
How to Prevent Disruption
To prevent disruption to your Dynamics 365 with the cookie policy changes, you must upgrade your Dynamics NAV or Business Central platform to the latest version. You will not need to upgrade any platforms if you are already running on one of the below versions, however, we recommend that every user test the deployment with any available pre-release versions of Google Chrome and Microsoft Edge.
Version | Minimum Recommended Update |
Dynamics NAV 2015 | |
Dynamics NAV 2016 | |
Dynamics NAV 2017 | |
Dynamics NAV 2018 | |
Dynamics 365 365 Business Central Fall 2018 | |
Dynamics 365 Business Central Spring 2019 | |
Dynamics 365 Business Central 2019 Release Wave 2 |
Additional Changes Required to Load Balancer Configuration
If your web server is hosted in a web farm, then it is important to add the SameSite attribute for the session affinity cookie. In an IIS web farm, you can do this by adding additional rewrite rules in the system web.config file as follows:
<rule name=”Add SameSite Cookie Flag to ArrAffinity cookie” enabled=”true”>
<match serverVariable=”RESPONSE_Set_Cookie” pattern=”ARRAffinity=.*” />
<conditions>
<add input=”{R:0}” pattern=”SameSite=(Lax|Strict|None)” ignoreCase=”true” negate=”true” />
<add input=”{HTTP_USER_AGENT}” pattern=”Macintosh; Intel Mac OS X 10_14.+Version/.*Safari” ignoreCase=”true” negate=”true” />
<add input=”{HTTP_USER_AGENT}” pattern=”CPU iPhone OS 12″ ignoreCase=”true” negate=”true” />
<add input=”{HTTP_USER_AGENT}” pattern=”iPad; CPU OS 12″ ignoreCase=”true” negate=”true” />
</conditions>
<action type=”Rewrite” value=”{R:0};SameSite=none” />
The above rule will append the SameSite=none attribute to the ARRAffinity cookie, except for the older versions of Safari and iOS browsers which have limitations with handling SameSite attributes.
To test the above solution, you can download the latest Chrome beta version, which you can download here:
https://www.google.com/chrome/beta/
In order to test on older Chrome versions, you can manually enable the SameSite flag. In order to do this, you need to:
- Start Chrome browser
- In the Address, type chrome://flags
- Set SameSite by default cookies to ‘Enabled’
- Set Cookies without SameSite must be secured to ‘Enabled’.
It has been reported that Dynamics Nav users are struggling with cumulative updates for November and December on the software, however, this fix will be issued in the January 2020 updates. This issue is only occurring in Chrome 80 Beta or older Chrome versions in which cookies without SameSite must be secure are ‘Enabled’. For now, users on Dynamics Nav are advised to either switch to HTTPS or set cookies without SameSite must be secured to ‘Disabled’.
If you need assistance with your Dynamics NAV or Business Central, then Synergy Technology can offer you support and advice on how to update and test your software will comply with the browser cookie policy changes to come. Get in touch with Synergy Technology today by sending a message through our website or calling 0345 456 0050 today!