Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SameSite attribute and Facebook SDK

Tags:

http

php

facebook

web

samesite

I am trying to solve the warning that I get from Chrome browser:

A cookie associated with a cross-site resource at http://www.facebook.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032. <br/>

I am using the Facebook Login web SDK. When trying to get rid of the warning I created a very simple page with no cookies. The single cookie is not created by my script but is the one from Facebook. Looks like the backend code does not really affect the cookie. It is set in the response header.

In the PHP code I have introduced this code:

$fbcook = $_COOKIE[$facebookcookiename];
setrawcookie($facebookcookiename, $fbcook, ['samesite' => 'None', 'secure' => true]);

And it takes effect, when I debug the network I see in the headers:

set-cookie: fbcookie=value; secure; SameSite=None

The raw value is base_domain=.blabla.bla

The cookie attributes in request header:

cookie: fbcookie=value

And there is the network debug info in Chrome: enter image description here

I would expect this if it is set once again at facebook.com, because I see in the warning 'at http://www.facebook.com/' and not about my site blabla.bla. Is there a way to get rid of the warning? Another question: will the functionality be affected when Chrome changes the policy? I would like to do it without changing the settings of the browser. It is unlikely that users of the site will make any changes to get rid of any security fixes in the browser.

like image 314
armagedescu Avatar asked Feb 21 '20 10:02

armagedescu

1 Answers

No, this is not something you can do anything about. This isn’t your cookie, it is one set by Facebook, valid for their domain.

Facebook has to fix this, and you can probably rest assured that they will do so in time, otherwise it will likely break login functionality on a lot of sites.

like image 159
CBroe Avatar answered Oct 05 '22 18:10

CBroe
Sign in to Comment

Related questions

Can't explain php modulo result
PHP $_GET for parameter with plus sign
Laravel higher order message unexpected result
How will websocket works when websocket client is too slow?
How to create and use a custom daily log file in Laravel?
Resizing font size and padding using gd to create a dynamic bar chart
Laravel 6.0 - Custom email verification: temporarySignedRoute() URL not working with new route
How to set release limit while using php-deployer?
How to customize the log output for a job in Laravel?
Laravel 6.8 PUT Method not working, Showing Blank Page
Amazon SES: Message sending failed - The following SMTP error was encountered: 552 5.3.4 Message is too long
Why laravel 6 auth returns false after redirecting by using custom guard?
array_unique with SORT_NUMBERIC behaviour
Symfony2 : Two forms in a same page
About PHP underscore naming convention (as in "_method" or "_property")
How to create a subquery using Laravel Eloquent?
Alternatives to face.com API
Uploading file through FTP using PHP
Translate url parameters as place holder
How can clear screen in php cli (like cls command) [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!