According to the article here https://php.watch/articles/PHP-Samesite-cookies and PHP documenation at https://www.php.net/manual/en/session.security.ini.php, There are only 2 possible config options for this new feature, added in PHP 7.3:
Yet, according to the Chrome console, this needs to be set to "None":
A cookie associated with a cross-site resource at URL was set without the
SameSite
attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set withSameSite=None
andSecure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at URL and URL.
Because of this, I can no longer set cross-site cookies. What is the workaround?
SameSite=None requires Secure The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.
The none value won't give any kind of protection. The browser attaches the cookies in all cross-site browsing contexts. The default value of the SameSite attribute differs with each browser, therefore it is advised to explicitly set the value of the attribute.
You can use the $options array to set the samesite value, for example: setcookie($name, $value, [ 'expires' => time() + 86400, 'path' => '/', 'domain' => 'domain. example', 'secure' => true, 'httponly' => true, 'samesite' => 'None', ]); The value of the samesite element should be either None , Lax or Strict .
The SameSite=Strict value will only allow first party cookies to be sent. This setting is good for user actions like login credentials, but the cookie will not be sent on the initial request to the webpage. The SameSite=Lax setting will allow the user to maintain a logged in status while arriving from an external link.
The SameSite cookie attribute prevents cross-site request forgery (CSRF) attacks by stopping browsers from sending cookies to other sites. A CSRF is an attack that forces end-users to execute unwanted actions on the web applications where they are currently authenticated.
It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at URL and URL. Because of this, I can no longer set cross-site cookies. What is the workaround? Show activity on this post.
If the issue is primarily a browser or tab crashing or hanging, it is less likely to be caused by the new SameSite cookie behavior. First, check if the problem persists after setting the SameSite flags above to “Disabled” (note: setting them to “Default” may or may not disable the features).
The new rule demands that all cross-site cookies set in a browser have to be set with Secure attribute if they are to have None as their SameSite value. This is esoterically for cookies meant to be served in cross-site contexts only.
You can set the value to "None" using ini_set
. There's no check that the value is supported when that function is used:
ini_set('session.cookie_samesite', 'None');
session_start();
session_set_cookie_params
can also set it:
session_set_cookie_params(['samesite' => 'None']);
session_start();
The bug report for this to be supported in php.ini is here.
As @shrimpwagon said in a comment below, session.cookie_secure
must be true
for this to work. PHP doesn't require it, but browsers do.
ini_set('session.cookie_secure', "1"); ini_set('session.cookie_httponly', "1"); ini_set('session.cookie_samesite','None'); session_start();
php 7.4 samesite in phpinfo
php 7.2 samesite does not exist in phpinfo
$currentCookieParams = session_get_cookie_params();
$cookie_domain= 'your domain';
if (PHP_VERSION_ID >= 70300) {
session_set_cookie_params([
'lifetime' => $currentCookieParams["lifetime"],
'path' => '/',
'domain' => $cookie_domain,
'secure' => "1",
'httponly' => "1",
'samesite' => 'None',
]);
} else {
session_set_cookie_params(
$currentCookieParams["lifetime"],
'/; samesite=None',
$cookie_domain,
"1",
"1"
);
}
session_start();
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With