Chrome not keeping my _SESSION vars when coming from 3rd-party IFRAME but works perfectly when accessed directly

Question

Until a few weeks, all my sites were working perfectly.

I write code and sell it on CodeCanyon.

But recently (today) I've noticed that I cannot log in anymore to my little PHP snippets of code that I have on sale there.

If I work directly on my domain, as in typing the link in the URL bar, everything works perfect, in any browser (meaning, all my _SESSION vars are kept, all throughout).

But when I do check my snippets of code (all using password-protection and _SESSIONS var, on CodeCanyon's website, I cannot seem to login in to them in Google Chrome, because the _SESSIONS vars are just not passed through from page to page.

The weird thing is that in Firefox and even in Microsoft Edge they do work.

I primarily work in Google Chrome (99.5% of my time), and it's a fine browser.

But in this case, where my login password-protected websites come from a 3rd-party website, hosted in their IFRAME, my _SESSIONS vars just don't seem to work (although for years they did!)

I have session_start(); at the top-level of all files.

I even deleted the cache and cookies for the 3rd-party website and for my own domain, and even re-installed Chrome again. Nothing.

I dug on the Internet before asking this question, and it seems that it might be a problem passing _SESSION var through from an HTTPS website towards an HTTP one. The 3rd-party website (CodeCanyon.net) is HTTPS and mine is HTTP. But then, why everything works perfectly in Firefox and Microsoft Edge?

Is there a PHP-based workaround to this situation?

I have to say that until 3-4 weeks ago, everything was working perfectly for years, and that I stumbled upon the fact that I cannot login to my DEMO websites I have for sale on CodeCanyon by chance, today.

========================

First edit:

• just to make things more visual, when accessing my piece of code from the 3rd-party vendor website's IFRAME, on Firefox it displays the session_id() and stays there, even if I refresh the page, logins, and do everything right.
• in Chrome, where it is not working, every time I refresh the page where my piece of code is, there is a different session_id(), which is different in the login.php FORM as well. Why?

Answer 1

===============

After 6 hours of digging on the Internet, I have found the answer.

The code required for my _SESSIONS to be transmitted (cross-reference) between one HTTPS secure host (loaded in an IFRAME there) to my HTTP insecure host is adding this

ini_set('session.cookie_samesite', 'None');
ini_set('session.cookie_secure', 'true');
session_start();

This tells the browser that I allow a transfer between two different hosts (cookie_samesite = None) through secure HTTPS (cookie_secure = True) of the _SESSION data, so the _SESSION can be initiated. I am talking about _SESSION cookie server-side variables, in PHP.

But in order to have Secure transmission of the _SESSION vars cross-origin, or between two different hosts (xxx.com and yyy.net), my end has to be HTTPS as well.

So the only way of transmitting _SESSION vars from a host to another different host is a true SECURE connection, and if you don't have HTTPS enabled, you NEED TO GET an HTTPS certificate for your domain name.

So these variables above work ONLY if you have HTTPS enabled on your domain (eg. go buy a HTTPS certificate, in my country prices begin from 14 EUR, and you can usually find these right on the hosting company where you have your domain and hosting).

===================

Answer 2

I think this have to do with - https://blog.heroku.com/chrome-changes-samesite-cookie