Menu
I recently read "RFC 6265" on the attribute "Same Site", I looked at some articles that talked about that in April 2016, "same-site" attribute has been implemented for Chrome 51 and Opera 39 ...
I wonder if current PHP supports creating cookies with this attribute?
Reference:
chromestatus.com
543
To prepare, Android allows native apps to set cookies directly through the CookieManager API. You must declare first party cookies as SameSite=Lax or SameSite=Strict , as appropriate. You must declare third party cookies as SameSite=None; Secure .
You can change the Lax value to Strict for Strict cookies. For explicit SameSite=None session cookies, the PHP setting should be used with quotes. This is because in INI, none is interpreted as false . It is up to browsers to assume a default value.
The SameSite=Strict value will only allow first party cookies to be sent. This setting is good for user actions like login credentials, but the cookie will not be sent on the initial request to the webpage. The SameSite=Lax setting will allow the user to maintain a logged in status while arriving from an external link.
To test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the "SameSite by default cookies" and "Cookies without SameSite must be secure" experiments.
You can use the $options array to set the samesite value, for example:
setcookie($name, $value, [ 'expires' => time() + 86400, 'path' => '/', 'domain' => 'domain.com', 'secure' => true, 'httponly' => true, 'samesite' => 'None', ]); The value of the samesite element should be either None, Lax or Strict.
Read more in the manual page.
You can use one of the following solutions/workarounds depending on your codebase/needs
You can add the following line to your Apache configuration
Header always edit Set-Cookie (.*) "$1; SameSite=Lax" and this will update all your cookies with SameSite=Lax flag
See more here: https://blog.giantgeek.com/?p=1872
location / { # your usual config ... # hack, set all cookies to secure, httponly and samesite (strict or lax) proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; } Same here, this also will update all your cookies with SameSite=Lax flag
See more here: https://serverfault.com/questions/849888/add-samesite-to-cookies-using-nginx-as-reverse-proxy
header methodAs we know cookies are just a header in HTTP request with the following structure
Set-Cookie: key=value; path=/; domain=example.org; HttpOnly; SameSite=Lax so we can just set the cookies with header method
header("Set-Cookie: key=value; path=/; domain=example.org; HttpOnly; SameSite=Lax"); In fact, Symfony is not waiting for PHP 7.3 and already doing it under the hood, see here
📝You can use same in Laravel too because Laravel under the hood using Symfony's Symfony\Component\HttpFoundation\Cookie class
setcookie methodsetcookie('cookie-name', '1', 0, '/; samesite=strict'); Be careful with this one, it's a known bug in PHP setcookie method and already resolved in PHP7.3 version, see here - https://github.com/php/php-src/commit/5cb825df7251aeb28b297f071c35b227a3949f01
115
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
