For the latest on our response to Coronavirus (COVID-19), click here.
BUG: Unable to login to att.com using Safari with Prevent cross-site tracking enabled
There appears to be a design flaw with the login architecture of att.com. I am unable to login with Safari when "Prevent cross-site tracking" is enabled. Similarly, I'm unable to login via Chrome or Firefox when 3rd-party cookies are blocked. I have to either disable those settings (not suggested) or make an exception for att.com (which only works in Chrome and Firefox and is an inconvenient step that most users wouldn't know how to do).
Most likely this is because the att.com identity server is issuing a cookie under a different domain (good practice) and the att.com site that relies on the identity server is trying to read that same cookie from a different domain (bad practice).
If I'm correct, the issue stems from a fundamental flaw in the login design. Those of us who care about proper browser and internet security will be very frustrated with this. 99% of all cross-domain cookie usage is for unsolicited tracking. In this day and age where security and privacy are paramount, more and more people are, and should be, opting to restrict 3rd-party cookies. Browser developers themselves are starting to enable these protection as the default. This kind of design may have been common in the past but is simply not acceptable now.
Best practice now would be to keep each sites cookies in separate domains and avoid reading any cookies across domain on a page. Instead, use a process like Open ID Connect (based on OAuth2) to generate tokens to hydrate the client (relying party) cookies.
If there are any att.com devs reading this, please let me know if my assumptions above about the site's design are correct and if there might be an initiative to fix Alternatively, if it is due to something else, please let me know that too. If other users can confirm this behavior, that would be nice too just to make sure I'm not crazy. :-)