Session cookies disappearing from Chrome with PHP/Apache server

Question

Update: Looks like the issue that started a few days ago was due to incorrect handling of the cookie "secure" flag. We still haven't resolved the problem that started on February 1 though.

I run an internal PHP/Apache site where I work. On February 1 we started getting reports that employees were being logged out of it randomly several times a day. We had not changed any of the authentication code in years, but we noticed that Chrome received a significant update that day: https://chromereleases.googleblog.com/2017/02/stable-channel-update-for-desktop.html.

In the last few days, the issue has gotten significantly worse and Chrome is not storing the session cookie at all for some users. After navigating to the site, the server tries to set a cookie and the employee is redirected to Google for auth, and then when they get back to the site their cookie is gone.

I reproduced the issue with minimal code in this simple php file:

<?php

session_set_cookie_params(60 * 60 * 24 * 7, '/', '.corp.company.com', false, true);
session_name('CompanySessionID');
session_start();
$_SESSION['UserName'] = 'test';

When an affected employee visits the page, the set cookie header comes through as expected, but Chrome does not store the cookie.

Additional details:

• I've tried all the suggestions on PHP session lost after redirect
• Originally the problem did not affect incognito mode, but starting a few days ago it does
• Clearing cache/cookies has never helped the issue
• Reinstalling Chrome previously would resolve the issue for around a week
• The problem is not present in Firefox or Safari
• Not all employees are affected
• All employees use OS X
• Changing the session name from CompanySessionID to CompanySession fixed the problem for a subset of users, and broke it for another subset of users
• The sessions are still there on the server, it's just the cookie that's missing from the browser
• Using a proxy to watch requests I can see that there are no headers that should be deleting the cookie.
• We're using PHP 5.4.24

How can I find the source of this issue? Should I file a bug with Chrome?

Answer 1

I figured out the more recent issue with help from @cmorrissey. We rolled out HTTPS to the server recently, and when people got new cookies over HTTPS they'd get the secure flag set.

After that, the cookie would no longer be sent on requests over HTTP (as expected). However, what was unexpected is that Chrome would also no longer allow the server to set an insecure session cookie with the same name, since the secure one existed already. That's why the example PHP file shown in the question could not set the cookie at all unless the session name changed.