Written by Art Schrage, HIKE2 Consultant
There’s been a lot of talk lately about the “Same Site” cookie change in Chrome and other browsers that is slowing down — and even breaking — integrations. While these browser manufacturers take positive actions to protect users’ data, the change has caused unintended consequences for Salesforce clients.
So what’s the technical background behind this and how can you make sure this won’t impact your integration?
The Technical Snafu, Put Simply
When you visit a typical web page, most of us know that both the website and the ads on that site immediately place cookies on your browser. For the past 20 years, cookie info sent by embedded ads and other content was sent to you automatically, and often without data encryption. So how dangerous is this?
Well, point to any recent data breach, from Target to Marrior, and we’ve learned: the vulnerability has a more sinister side. As Fortune Magazine recently pointed out, hackers had a banner year in 2019. According to the Identity Theft Resource Center, there were nearly 1500 major data breaches. Here’s how it used to happen before the cookie change:
Imagine it's a typical day, and you log into your bank website to pay your credit card bill. As you interact with the bank site, it sends you a cookie to keep track of the fact you are authenticated to the site. Once you are finished with the morning’s to-do, you open up another browser tab to read your email. A friend emails you a funny joke and you click on a link that takes you to a meme website. However, the joke is on you. The site contains a script that takes advantage of your bank authentication cookie in your other browser tab. As soon as you clicked on the link, the script automatically transferred money out of your account!
The new cookie enforcement by Chrome, Edge, and other browsers, attempts to make this kind of attack, called cross-site request forgery, or CSRF, more difficult. Now, by default (even if website developers do nothing), cookie data can no longer be sent on an unsecured connection between websites and up-to-date browsers. In addition, the change, in breaking some existing functionality, forces developers to acknowledge the security issue and to choose what conditions will cause each of their website’s cookies to be sent.
Why This Increased Cyber Security Matters For Your Integration
This same change has broken some Salesforce integrations.
For example, one of our current clients, a multi-million manufacturer of major power tools distributed to over 20 countries, has a custom tab in Salesforce that provides direct access to a data warehouse (DW) login screen. When a user clicks on that Salesforce tab, the tab requests the DW login screen to display to the user.
This Login screen may have no idea that it’s being displayed inside Salesforce.com and sends a cookie, expecting it to end up in the user’s browser. However, because of the new cookie security — the attempt fails. When the user attempts to log in, the DW login webpage notices the missing cookie and has blocked the attempt.
The result: client frustration and wasted time.
How Your Tech or Development Lead Can Avoid This Integration Fail
First, understand that the fix is likely not in Salesforce.
Before any integration, your tech lead or consultant needs to contact the vendor of your external system and ask them if they are aware of the new enforcement of “Same Site” and “Secure” cookie parameters. We’re finding that some of the smaller-scale ERP providers have not solved this issue on their back end — so being proactive before integration occurs is a must.
At Hike2, we care about taking care of the annoyances that impact employees’ ability to get their job done efficiently. Once the developers adjusted the login screen to account for the browser security change, the cookie issue was eliminated and “tada”, the users were once again able to log in for seamless integration.
Art Schrage – HIKE2’s technical guide (or wizard, as we call him) gives his take on how a recent cybersecurity shift has had the unintended consequence of breaking Salesforce integrations.