Disable 3rd party cookie requirement globally

Answered

49 Comments

  • Thilo Langbein

    Third Party cookies are a privacy nightmare. This as not acceptable - these days!

    9
  • Seth

    The 3rd party cookie requirement is extremely lame.

    I've had 3rd party cookies blocked by default in all my browsers for literally years now.

    Pretty much the only web site authentication mechanism that has a problem with this is Zendesk.

    Why are so many other web sites able to allow logins without forcing end users into the surveillance matrix of the 3rd party cookie regime?

    It's such a pain in the neck, it really has made be despise using the Zendesk product as an end user, and I would never recommend it to my clients for this reason alone.

    6
  • Caroline Kello
    Zendesk Product Manager

    Hey folks,

    I'm Caroline and I'm on the Product team. We do have time set aside on my team's roadmap in the next month to figure out what our long-term solution is, related to these third-party cookie issues and user login issues and of course the security aspect of it. We've experienced issues with Safari in the past that seem to come and go, most likely based on the Apple ITP logic being updated. Most recently the new version of Chrome and the SameSite cookie update was top of mind for us to resolve.

    I understand the frustrations and we are aware of the issues it's causing, both from a user experience standpoint but also from yours and ours reputation.

    I'll be back in this thread when I've more updates to share and thank you for the patience in the meantime.

    Cheers, Caroline

    6
  • George Deligiannis

    I have the same issue since this morning. I'm using chrome and since yesterday, I have the same setup, no new updates or anything. I was kicked out from my session and i had to sign in again this morning.

    Well, the login works and then it doesn't load. Zendesk says that "xxx.zendesk.com refused to connect.". And it keeps reloading.

    Of course it works in other browsers, but not in chrome.

    I enabled third party cookies, but no difference at all. Even in incognito mode.

    It also says at the login screen "Your browser restricts cookie usage. Click here to restart your sign in." When I click it, nothing happens.... this is really weird and frustrating.

    5
  • Avi Kelman

    It looks like in Safari the problem is that cross-site tracking prevention stays active even if you turn it off until Safari is fully quit and restarted.

     

    I would like to reiterate the request from others, though, that cross-site tracking prevention is there because 99.99% of all use-cases are for spying on people. Requiring users to disable that protection is a serious invasion of personal security, and every other website manages to work just fine without requiring tracking across domains.

    5
  • Seth

    How about zendesk fixes this problem at the source and re-engineers the product to do away with the insane 3rd party cookie requirement?

    Is that option on the table?

    Please stop torturing your userbase with the existing hack job authentication scheme.

    4
  • Avi Kelman

    3
  • Andy Zarzycki

    Brett - Community Manager  Still experiencing the issue despite resetting Chrome, disabling all extensions, re-checking that third party cookies are enabled and zendesk is in the whitelist.

     

    I have taken to using MS Edge, so when I click on a zendesk link in an email notification I let it load the page with the "Your browser restricts cookie usage. Click here to restart your sign in." message (I am naively hopeful that maybe it'll get fixed one day), then I copy that url into Edge.  I need to chime in on dozens of tickets most days, so this is a huge inconvenience.

    Also being in the web development industry since 1999 I know that your login system does not have to be architected this way. This cross-(sub-)domain login problem is solved already. What you're looking for is to be an Oauth provider. (You do consume Oauth for federated logins with Google, etc, already but that's different than being an authentication provider) Re-architecting your login system is the right and proper long term solution to this problem.

    However, clearly your system works on many instances of Chrome (or Safari or something else) with the same version numbers as some machines on which it consistenly fails. On machines where the problem manifests itself the attempt to load the page after the login submission fails with a "subdomain.zendesk.com refused to connect" error. It could well be that this issue has nothing to do with browser settings but is a rare bug that crashes at some layer in your api stack. Given that your login page also erroneously claims cookies are disabled--while I can see cookies actually being sent to the page--leads me to suspect your load balancers not passing data/headers/something as expected in some scenario.

    Please, have your engineers investigate this.

     

    Andy

    3
  • Seth

    THIS ==> "cross-site tracking prevention is there because 99.99% of all use-cases are for spying on people."

    2
  • David D'Agostino

    It baffles me that Zendesk staff side is surprised about this error.   My company started using zendesk  earlier this year, and since day 1, I cannot logon my mac using Safari.  It's not limited to me or something misconfigured.  It happens to all my engineers.   For me, using chrome actually made it work, but this is unacceptable.    When i click a link expecting it to seamlessly take me to the ticket deatails, but instead I'm stopped at login with a Cookies message, one that provides a busted solution, well, enough said.    Imagine on the 6th different time/day this happens... each time you regain faith that you fixed it and you  "Click here to restart your login"... only for it to refresh back to the same busted login page with the same busted message.

    We too submitted a ticket to zendesk about this from day 1.  I just talked to my colleague who submitted it and it was shrugged off and no solution provided.  Asking users, some of who have been in the industry for longer than zendesk has been a company, to resinstall their browser to see if it fixes is nuts!!!   The beauty of a web app is convenience, no need to install anything.    It shouldnt be the users that have to work around you, it should be you finding solutions to keep your customers happy.

    WORKAROUND FOR SAFARI USERS 

    To anyone using Safari on a mac, you can fix this by going to Safari -> prefrences -> privacy -> Website Tracking -> Prevent cross-site tracking.   Uncheck this.    Fully quit safari program, restart it, and the cookies message on log-in goes away. I don't think this is acceptable, as the cores features of zendesk shouldn't need to rely on this type of tracking.

    ZENDESK ASK

    At a minimum, change the message from "your browser restrict cooke usage.  Click here to restart login"  to something helpful.  Clicking a link to restart that goes right back to the same error page is the worst scenario.    Instead, provide language as to why you require this cookie tracking and instructions on how to allow it on the most popular browsers.     Some users will still be angry cause privacy is king these days.  But at least the users won't think Zendesk is just incompetent.

    Also - provide my solution to your engineers and support staff.   It makes things much worse when end users are asked to reinstall their browser as a fix.   It shows a lack of understanding of the problem and in most cases, will not fix.    

     

    Thanks

    2
  • Andy Zarzycki

    I have turned off "Block third-party cookies" in Chrome and have added [*.]zendesk.com to the allow list, and still I get the message "Your browser restricts cookie usage." As far as I can tell, this happens on any support site powered by Zendesk, but not Zendesk itself (here).

    I've cleared cookies and updated Chrome twice since this started happening about two weeks ago, yet at this point I cannot log into any Zendesk powered site using Chrome. Incognito mode doesn't help.

    I've verified that my browser receives Set-Cookie headers for things like __cfduid, _zendesk_shared_session, _zendesk_session and _cfruid and and clears the _zendesk_authenticated cookie. On subsequent requests my browser sends all those values that were set back in a cookie header. There are no failed network requests nor any errors in my JS console. It doesn't look like my browser is actually not accepting cookies, yet the Zendesk login mechanism seems to mistakenly believe otherwise. 

    Using a non-default browser is highly cumbersome. Any suggestions on what to try?

    1
  • George Deligiannis

    Avi Kelman thanks a lot for this! This is exactly what I experience!!!! 

    Brett - Community Manager i reset chrome and I cleaned all cookies, stored data etc... I didn't try to uninstall and reinstall yet

    1
  • Chris Parker

    I have this same problem and it's driving me mad

    The workaround above doesn't work for me - I have unchecked this option, restarted Safari, hell I even restarted my entire MacBook and I still get the same issue.  I login fine without error using Chrome, but that isn't a solution for me.

    1
  • Kevin Franck

    I am using Chrome on macOS v10.15.2.  I am experiencing the exact same problem as @Andy, George and Avi and have tried everything described in this thread (turned off "Block third-party cookies" in Chrome, added zendesk.com to the allow list, cleared existing cookies, etc.).  I can't get past the login page that displays the message "Your browser restricts cookie usage. Click here to restart your sign in." 

    Has anyone come-up with a resolution for this problem?

    1
  • paulatlan

    Experiencing the same issue since this morning. 

    I second the fact that it is unacceptable to ask users to lower their privacy expectations for the sake of ONE website!

     

    1
  • Yao

    Suspend this relates to the Chrome SameSite Cookie feature (https://www.chromestatus.com/feature/5088147346030592). This feature is slowly released to all Chrome user, and will be official released in Chrome 80 in Feb 4th, 2020

    There is a workaround that fix my problem in Chrome (which disable the feature):

    If you experience the same problem in Firefox:

    • Go to about:config 
    • Disable the following two configs:
      • network.cookie.sameSite.laxByDefault
      • network.cookie.sameSite.noneRequiresSecure
    1
  • Bruno Cruz

    Hello team,

    Our engineers are starting to get affected by this and the workaround provided by Yao two months ago is deemed as a security risk internally. Any update on this?

    1
  • Chris Contorinis

    Also got this on Brave. You have to go to Settings > Shields > Cookies > Allow all cookies. The above Chrome workaround is not necessary (and does not work) for Brave.

     

    1
  • Michael Bierman

    This issue has been open for over a year. It is very disappointing that zendesk hasn't addressed it. 

    I see people complain about

    • Safari
    • Brave
    • Chrome

    That is a huge portion of the user population.

    Zendesk is often used when a customer is already agitated and trying to get help with some problem. When they go to a vendor's portal to get help and then get pushed into a rabbit hole of zendesk hell this makes that customer and zendesk look bad. 

    Very unfortunate. 

    1
  • Phil Mocek

    I think it would be helpful if instead of discussing support for specific browsers (as if we're back to the bad old days of "works best in Internet Explorer"), Zendesk published detailed requirements and left satisfying those requirements up to those of us who have the know-how to do it.

    I, like many other people, actively try to *prevent* one site from setting cookies that another can see.  This is a widely-accepted best practice, and some browsers may be (hopefully are) doing this by default nowadays.  Disabling that is, as another user opined in this thread, a security nightmare.

    I use Brave Browser for most purposes, and I was eventually able to get Zendesk working by *disabling various combinations of the privacy-protecting mechanisms I use* (e.g. extensions Privacy Badger and uBlock Origin, Brave's inbuilt protections).  This is terrible.  And worse, I'm just guessing at what might work, as Zendesk do not appear to publish detailed requirements, so I cannot guarantee that it will continue to work.  I must assume that I have discovered a happy coincidence rather than a long-lasting solution to the problem.

    1
  • Phil Mocek

    Also, some Zendesk support staff seem to be conflating the use of cookies in general with the use of third-party cookies in particular.  The former is required by nearly any webapp, and I doubt any of your users are trying to run Zendesk in a browser that bars setting of any cookie.  The latter is something I see only out of Zendesk nowadays, and it is going to conflict with the configuration of most anyone who cares about their privacy and security, knows at least generally what a third-party cookie is, and knows how to configure his or her browser to prohibit them.

    1
  • Mandy

    Hello there David, thank you for your question. Yes, there have understandably been requests to allow this option. Even so, cookies are a necessity to log into the Help Center and use Zendesk. This is a part of Zendesk's security architecture.

    Zendesk maintains a large application audit log to include security events such as user logins or configuration changes. The Zendesk application utilizes numerous framework level protections to help prevent Web application vulnerabilities and to secure credential storage. 

    All cookies that are sent during the login action would need to be accepted for the authentication process to be performed. Please check out our cookie policy for more details. Your end users can use any browser, but they will all use cookies. The difference is just in the browser's security settings, which can require to allow cookies each time, or to always allow cookies for that site, for example.

     

    0
  • Nicole S. - Community Manager
    Zendesk Community Team

    Hi Thilo -

    Are you having a specific issue with cookies that we can assist you with?

    0
  • Avi Kelman

    This affects Safari 13.0.3 as well trying to connect to third party zendesk support sites (e.g. support.circleci.com).

    0
  • Brett - Community Manager
    Zendesk Community Team

    @Andy and George, that definitely sounds like odd behavior going on. Have you tried uninstalling and re-installing Chrome to see if that helps? I'd be happy to create a ticket on your behalf if the issue continues.

    @Avi, I tried accessing the URL you provided using Safari but was unable to replicate this behavior. Are you still experiencing issues with 3rd party cookies on your end?

    Let me know!

    0
  • Brett - Community Manager
    Zendesk Community Team

    Thanks for the update Avi!

    I'm going to bring this into a ticket so our Customer Advocacy team can troubleshoot further.

    You'll receive an email shortly stating your ticket has been created.

    Cheers!

    0
  • Brett - Community Manager
    Zendesk Community Team

    Hey Chris,

    I'm going to bring this into a ticket so our Customer Advocacy team can look into this for you.

    You'll receive an email shortly stating your ticket has been created.

    Cheers!

    0
  • Brett - Community Manager
    Zendesk Community Team

    Hey Andy,

    Thanks for the detailed explanation here! I'm going to create a ticket on your behalf so our engineers can investigate this issue on your end. You'll receive an email shortly stating your ticket has been created.

    Cheers!

    0
  • Will O'Neal

    Is the official response to this going to be addressed individually, as per Andy? Because I have to use an older OS and an older version of Chrome now as well.

    0
  • Brett - Community Manager
    Zendesk Community Team

    Hey Will,

    It looks like we have a problem ticket related to this issue that is currently escalated to our engineers. This is something our team is still investigating so I'd be happy to create a ticket on your behalf if you haven't already done so.

    Let me know!

    0

Please sign in to leave a comment.

Powered by Zendesk