In the April 21st, 2021, release, the Biotics Map will be converted to only be available over https. Background information regarding the need for this change follows. Below is a list of the programs which will be affected by this change, according to the map services (which use http and therefore will no longer work, following the change) configured within their Map Library. We wanted to bring this to your attention now, so that you can prepare for the change prior to April 21st.


This change will apply to any service being added to the Map, be it with Add Resource via URL or by the Library. The programs highlighted below contain services configured in the Map Library which use http:. You can find these by filtering the Url for http:


Should you have any questions regarding this, please submit a ticket to the Help Desk by emailing biotics@natureserve.org.

ProgramNumber of http URLs
bioticsab10
bioticsaz40
bioticsbc8
bioticsco19
bioticsfl1
bioticsga2
bioticsin2
bioticsks7
bioticsma22
bioticsmd17
bioticsmi8
bioticsmn2
bioticsnc1
bioticsnu1
bioticsnv1
bioticsny12
bioticson2
bioticsor1
bioticspa1
bioticssd1
bioticssk4
bioticstn2
bioticstva1
bioticstx1
bioticsvt19
bioticswa1
bioticswi3
bioticswv4
bioticsyt15

Background

In January 2021, the map viewer stopped working on Chrome, resulting in infinite redirects between the map page and the login page. See the Map Continuously redirecting in Chrome solution.


At the time, we thought it was a profile corruption issue, but it turned out to be caused by a change in how Chrome treats cookies. Starting with Chrome 88 (released Jan 19, 2021), it started assuming SameSite=Lax if a SameSite policy was not defined. It also changed its policies at some point so that http and https versions of the same URL are no longer treated as the same site. Consequently, even if the user is logged in, this prevents the map viewer from accessing the session cookie which acts as the authentication token.

Our current workaround is "use Firefox", but this is likely to be a short-term bandaid. While it hasn't announced a date to do so, it has announced its intention to change its default behaviors at some point. See https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/

In theory, Edge should be behaving like Chrome, but the map still appears to work. But I highly doubt it'll stay that way, especially since its built on the same underlying Chromium engine.

Long story short: the writing is on the wall. We should convert the map viewer to https and announce this change to member programs ASAP.

For further reading:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
https://web.dev/samesite-cookies-explained/