How to fix set SameSite cookie to none warning?
I'm also in a "trial and error" for that, but this answer from Google Chrome Labs' GitHub helped me a little. I defined it into my main file and it worked - well, for only one third-party domain. Still making tests, but I'm eager to update this answer with a better solution :)
I'm using PHP 7.4 now, and this syntax is working good (Sept 2020):
$cookie_options = array(
'expires' => time() + 60*60*24*30,
'path' => '/',
'domain' => '.example.com', // leading dot for compatibility or use subdomain
'secure' => true, // or false
'httponly' => false, // or false
'samesite' => 'None' // None || Lax || Strict
);
setcookie('cors-cookie', 'my-site-cookie', $cookie_options);
If you have PHP 7.2 or lower (as Robert's answered below):
setcookie('key', 'value', time()+(7*24*3600), "/; SameSite=None; Secure");
If your host is already updated to PHP 7.3, you can use (thanks to Mahn's comment):
setcookie('cookieName', 'cookieValue', [
'expires' => time()+(7*24*3600,
'path' => '/',
'domain' => 'example.com',
'samesite' => 'None',
'secure' => true,
'httponly' => true
]);
Another thing you can try to check the cookies, is to enable the flag below, which—in their own words—"will add console warning messages for every single cookie potentially affected by this change":
chrome://flags/#cookie-deprecation-messages
See the whole code at: https://github.com/GoogleChromeLabs/samesite-examples/blob/master/php.md, they have the code for same-site-cookies too.
Session cookie set `SameSite=None; Secure;` does not work
My question is why when I use secure, only the Chrome browser blocks
the cookie, but it is true in other browsers
I am not sure about other browsers but Chrome implements strategy of allowing cookies with secure attribute over secure connection as per this IETF draft.
While this draft is implemented for Chrome, it is not on Firefox which is why on Firefox in you go to about:config > network.cookie.sameSite.noneRequiresSecure, default value is false.
If you just need to do it for your local dev environment, You can retain the old behavior for cookies in chrome by disabling
- chrome://flags/#same-site-by-default-cookies
- chrome://flags/#cookies-without-same-site-must-be-secure
I have to support legacy http clients, but if I make https:// origin
secure , I can't set cookie from http, more over I can't access this
cookie from http, my goal is to have SameSite=None, Secure on http and
not secure on http:// origin, any ideas, instead of establishing
protests near google office ?
Given that it is going to be standard in near future, I doubt you will be able to achieve this behavior for client applications, only route is to go secure, HTTPS.
Reference:
- https://web.dev/samesite-cookies-explained/#changes-to-the-default-behavior-without-samesite
- https://redmondmag.com/articles/2020/01/28/samesite-cookie-changes-break-apps.aspx
Unable to set SameSite=None PHP 7.4 no error no warning
Turned out my syntax was all right. I missed the point that when I set 'secure' to 'true' (as a byproduct of samesite none).
I just learned that when you set secure to true on cookie it means it will only set that cookie if there is a secure connection. i.e. if the site has HTTPS.
Working from localhost docker environment I didn't have HTTPS, so that's why cookie was not setting at all, no warning, or error was thrown either.
The solution was to get HTTPS, I had a test server up with HTTPS where I uploaded my application and it all worked out.
How to tell PHP to use SameSite=None for cross-site cookies?
You can set the value to "None" using ini_set. There's no check that the value is supported when that function is used:
ini_set('session.cookie_samesite', 'None');
session_start();
session_set_cookie_params can also set it:
session_set_cookie_params(['samesite' => 'None']);
session_start();
The bug report for this to be supported in php.ini is here.
As @shrimpwagon said in a comment below, session.cookie_secure must be true for this to work. PHP doesn't require it, but browsers do.
Fix Not Working: A cookie associated with a cross-site resource was set without the `SameSite` attribute
What you have showing there is two cookies, one with the session id, and another whose name is SameSite. Neither of these have any SameSite attribute (hence the blank space under the SameSite column).
You're not supposed to set a separate cookie for SameSite=None. SameSite is a cookie attribute, which is meant to be attached to the cookie it refers to.
The way you use it is like this:Set-Cookie: sessionid=12345; SameSite=None; Secure. Note that this is a single Set-Cookie header. If you use two separate Set-Cookie lines, the browser will interpret it as two separate cookies, which is not what you want.
How can I resolve a cross-site Google Analytics cookie `SameSite=None` warning in Chrome on Apache 2.4 and PHP 7.1?
I got a response from Google Chrome Labs after I posted a similar question on their github page.
The cookies triggering the warning are coming from google.com so you will not be able to alter them. The Ads team is aware of these issues and is working to get their cookies fixed before the Feb 2020 stable date. It also means that none of the header directives you're specifying will affect the google.com cookie, it will only cover cookies set for your site.
If you have any cookie warnings that specifically list a domain you control, then you will need to add the correct attributes.
-rowan-m
Related Topics
Reverse the Letters in Each Word of a String
Could Not Open Input File: Artisan
How to Convert a String to JSON Object in PHP
When *Not* to Use Prepared Statements
Php: Get N-Th Item of an Associative Array
Should I Use Prepared Statements for MySQL in PHP Performance-Wise
Check If a Row Exists Using Old MySQL_* API
Target Class Does Not Exist. Problem in Laravel 8
MySQL - Access Denied for User
How to Explode and Trim Whitespace
Getting Last Month's Date in PHP
Include Files from Parent or Other Directory
What Security Issues Should I Look Out for in PHP
Differencebetween {{ }} and {!! !!} in Laravel Blade Files