Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I resolve a cross-site Google Analytics cookie `SameSite=None` warning in Chrome on Apache 2.4 and PHP 7.1?

Tags:

php

cookies

apache

header

samesite

My client's website is getting these SameSite cookie warnings in Chrome. I've searched all over and I can't get the warnings to go away. The cookies are due to Google Ad Conversion Tracking on a Wordpress Site. The site is on a Apache/2.4.7 (Ubuntu) hosted by DreamHost running PHP 7.1 for compatibility reasons. To my .htaccess file, I've tried adding:

Header always edit Set-Cookie (.*) "$1; SameSite=None"

and I tried

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

...and I tried

Header always edit Set-Cookie (.*) "$1; SameSite=None;Secure"

as well as many other combinations including SameSite=Lax

One guide recommends for PHP 7.2 and below:

header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure');

But that gives me a 500 Internal Server Erorr.

Yet I am still getting the following three errors:

A cookie associated with a cross-site resource at was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and .

(index):1 A cookie associated with a resource at http://doubleclick.net/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

(index):1 A cookie associated with a resource at http://google.com/ was set with SameSite=None but without Secure. A future release of Chrome will only deliver cookies marked SameSite=None if they are also marked Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

In my research, there seems to be limited information about the warning, and in the guides that are available, I'm not sure if I must identify the cookie by name or how to fix the cookie/headers at their source.

like image 712
Benson Avatar asked Oct 13 '19 12:10

Benson

People also ask

How do I fix the SameSite cookie in chrome?

SameSite=None requires Secure The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.

How do I set SameSite none in cookies?

A New Model for Cookie Security and Transparency Developers must use a new cookie setting, SameSite=None , to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections.

How do I fix my SameSite attribute?

Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.

What does enable removing SameSite none cookies do?

Cookies with SameSite=None are specifically marked for use in third-party contexts. By requiring SameSite=None cookies to be Secure, users are protected by default from attacks on their identifying data that may compromise their privacy. In addition, non-secure embeds are a risk to users' privacy and security.

2 Answers

I would look at the tracker script. Here is the section about cross-domain traffic in the gtag.js docs. Make sure only the domain is present and no www, http, ect. 

gtag('set', 'linker', {
  'domains': ['example.com', 'example-b.com']
});
like image 25
Ususipse Avatar answered Oct 20 '22 06:10

Ususipse

I got a response from Google Chrome Labs after I posted a similar question on their github page.

The cookies triggering the warning are coming from google.com so you will not be able to alter them. The Ads team is aware of these issues and is working to get their cookies fixed before the Feb 2020 stable date. It also means that none of the header directives you're specifying will affect the google.com cookie, it will only cover cookies set for your site.

If you have any cookie warnings that specifically list a domain you control, then you will need to add the correct attributes. -rowan-m

like image 173
Benson Avatar answered Oct 20 '22 06:10

Benson
Sign in to Comment

Related questions

SQL efficient schedule generation algorithm
CMS built on Zend Framework [closed]
How to store .pdf files into MySQL as BLOBs using PHP?
Doctrine 2 ManyToMany cascade
Accessing Big Arrays in PHP
Chrome Toggle different devices view destroys the session
How to generate Unique Integer Only IDs like Facebook Twitter
How to create TCPDF HTML table with variable row paddings
How to leverage the glob method of Filesystem class with StorageFacade?
How to create ZF3 console application
underlying difference between elseif vs else if
Best practice for PHP paths [duplicate]
How can I record a user's voice using Javascript/PHP? [closed]
Repeat event on assigned day every week until specific date
how can I define variable in .htaccess file and use it?
Grouping similar news contents together like in GOOGLE NEWS
Does PHP 5.x have some kind of HashSet or Set Class?
Why doesn't var_dump work with DOMDocument objects, while print($dom->saveHTML()) does?
Dependency Injection: pulling required components when they are actually needed
Debugging Laravel jobs

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!