Menu
I created a chrome extension and from popup.js I called PHP script (Using Xhttprequest) that reads the cookie. Like this:
$cookie_name = "mycookie";
if(isset($_COOKIE[$cookie_name]))
{
echo $_COOKIE[$cookie_name];
}
else{
echo "nocookie";
}
But I'm getting this warning at errors in extensions.
A cookie associated with a cross-site resource at (Here is my domain) was set without the
SameSiteattribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
I tried to create a cookie like this but it didn't help.
setcookie($cookie_name,$cookie_value, time() + 3600*24, "/;samesite=None ","mydomain.com", 1);
Following instructions from this question.
869
Fixing common warnings The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.
A New Model for Cookie Security and Transparency Developers must use a new cookie setting, SameSite=None , to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections.
Go to chrome://flags/ then search cookies in the search box, there should be 4 options. Check Enable removing SameSite=None cookies and Consider SameParty cookies to be first-party sections. It maybe helps.
I'm also in a "trial and error" for that, but this answer from Google Chrome Labs' GitHub helped me a little. I defined it into my main file and it worked - well, for only one third-party domain. Still making tests, but I'm eager to update this answer with a better solution :)
I'm using PHP 7.4 now, and this syntax is working good (Sept 2020):
$cookie_options = array(
'expires' => time() + 60*60*24*30,
'path' => '/',
'domain' => '.example.com', // leading dot for compatibility or use subdomain
'secure' => true, // or false
'httponly' => false, // or false
'samesite' => 'None' // None || Lax || Strict
);
setcookie('cors-cookie', 'my-site-cookie', $cookie_options);
If you have PHP 7.2 or lower (as Robert's answered below):
setcookie('key', 'value', time()+(7*24*3600), "/; SameSite=None; Secure");
If your host is already updated to PHP 7.3, you can use (thanks to Mahn's comment):
setcookie('cookieName', 'cookieValue', [
'expires' => time()+(7*24*3600,
'path' => '/',
'domain' => 'example.com',
'samesite' => 'None',
'secure' => true,
'httponly' => true
]);
Another thing you can try to check the cookies, is to enable the flag below, which—in their own words—"will add console warning messages for every single cookie potentially affected by this change":
chrome://flags/#cookie-deprecation-messages
See the whole code at: https://github.com/GoogleChromeLabs/samesite-examples/blob/master/php.md, they have the code for same-site-cookies too.
73
As the new feature comes, SameSite=None cookies must also be marked as Secure or they will be rejected.
One can find more information about the change on chromium updates and on this blog post
Note: not quite related directly to the question, but might be useful for others who landed here as it was my concern at first during development of my website:
if you are seeing the warning from question that lists some 3rd party sites (in my case it was google.com, huh) - that means they need to fix it and it's nothing to do with your site. Of course unless the warning mentions your site, in which case adding Secure should fix it.
27
>= PHP 7.3
setcookie('key', 'value', ['samesite' => 'None', 'secure' => true]);
< PHP 7.3
exploit the path
setcookie('key', 'value', time()+(7*24*3600), "/; SameSite=None; Secure");
Emitting javascript
echo "<script>document.cookie('key=value; SameSite=None; Secure');</script>";
I ended up fixing our Ubuntu 18.04 / Apache 2.4.29 / PHP 7.2 install for Chrome 80 by installing mod_headers:
a2enmod headers
Adding the following directive to our Apache VirtualHost configurations:
Header edit Set-Cookie ^(.*)$ "$1; Secure; SameSite=None"
And restarting Apache:
service apache2 restart
In reviewing the docs (http://www.balkangreenfoundation.org/manual/en/mod/mod_headers.html) I noticed the "always" condition has certain situations where it does not work from the same pool of response headers. Thus not using "always" is what worked for me with PHP but the docs suggest that if you want to cover all your bases you could add the directive both with and without "always". I have not tested that.
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
