The answer could be along the lines in something called SameSite. In early 2020, Web- browser vendors updated their browsers to begin phasing in enforcement of the SameSite attribute in HTTP cookies. 

What is SameSite?

SameSite is a property that can be set in HTTP cookies to prevent Cross Site Request Forgery (CSRF) attacks in web applications.

The main goal is to mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks.

With the introduction of cookies SameSite attribute, PeopleSoft would be able to determine whether same cookies are used, when the accessed website POSTs back to the PeopleSoft eProcurement application. The accessed vendor website treats the PeopleSoft application as third-party site instead of a connected site. SameSite is all about cookies included by browsers, while posting requests to third parties.

How SameSite May Affect eProcurement?

PeopleSoft eProcurement’s “Direct Connect” functionality can be summarized as, “When the user “punches out” from the PeopleSoft eProcurement Requisition page, the user’s browser window transfers from PeopleSoft content to the Supplier’s online store content to facilitate selecting and adding the desired items to the shopping cart.”  Once the shopping is done, the user needs to press the button “Transfer Cart”.  

Technically speaking, clicking Transfer Cart posts a request from the Supplier’s site to PeopleSoft’s eProcurement Requisition page.  This request includes all the shopping cart information for the items from the transferred cart. Now the eProcurement Requisition displays all items shopped by the user. The Requestor may now save the selected items in the eProcurement Requisition page by clicking on “Save” or may proceed to “Submit” his Requisition. On submit the PeopleSoft application’s workflow triggers, approval actions happen, and other the procurement processes continue.

However, the eProcurement process may “break” when the browser enforces the SameSite cookie semantics during the “transfer cart” aka the punch-back operation from the shopping cart back into PeopleSoft.  The punch-back is a POST request to PeopleSoft from the Supplier’s website page. 

Due to the SameSite setup, PeopleSoft cookies are lost during the POST back from Supplier’s website back to the PeopleSoft eProcurement Requisition page. Without these cookies, PeopleSoft would not be able to determine the user context and other relevant session information, which results into PeopleSoft kicking the user out of the page back to the login page.

PeopleSoft Solution to Overcome the Impact:

To resolve the issue introduced by SameSite PeopleSoft has provided a fix from both the Applications and PeopleTools side.  The fix/patch from PeopleTools has been delivered in PT 8.56.26, 8.57.20 & 8.58.09 and the fix/patch for eProcurement has been delivered in PeopleSoft Update Image #39.

Applying the combination of patches provided by PeopleTools and the eProcurement application should resolve the issue. Of course, the Web Profile Configuration also needs a small change which can be accomplished by following these steps.

Login to the Portal and Content systems by a user with Administrator privileges.

1.Navigate to Main Menu –>PeopleTools –>Web Profile –> Web Profile Configuration. 

2.Select the active web profile currently being used. Go to the last tab “Custom Properties” Add a new property, Property Name = “Repost”, Validation Type = “String” and Property Value=”/c/PV_MAIN_MENU.PV_DC_CATCHER.GBL,http://<Hostname>:<port>”

(If https is being used, then use ‘https’ instead)

(Hostname and port are to be replaced by proper Load Balancer values by customers)

5.Add one more property, Property Name = “Repost1”, Validation Type = “String” and Property Value=”s/WEBLIB_PV_DC.PV_ISCRIPT_LIB.FieldFormula.IScript_DCCatcher,http:// <Hostname>:<port>”

(If https is being used, then use ‘https’ instead)

(Hostname and port are to be replaced by proper Load Balancer values by customers)

6.Save and logout.

7.Stop all the Web Servers.

8.Clear all the webservers, application servers and browser cache.

9.Restart all servers and retest.

 

SameSite won’t trouble you anymore for your Direct Connect purchases. Happy shopping!