PHP setcookie SameSite=Strict ?
[Important update: As @caw pointed out below, this hack WILL BREAK in PHP 7.3. Stop using it now to save yourself from unpleasant surprises! Or at least wrap it in a PHP version check like if (PHP_VERSION_ID < 70300) { ... } else { ... }
.]
It seems like you can abuse the "path" or "domain" parameter of PHP's "setcookie" function to sneak in the SameSite attribute because PHP does not escape semicolons:
setcookie('samesite-test', '1', 0, '/; samesite=strict');
Then PHP sends the following HTTP header:
Set-Cookie: samesite-test=1; path=/; samesite=strict
I've just discovered this a few minutes ago, so please do your own testing! I'm using PHP 7.1.11.
Maintain SameSite Strict Session Cookie Policy throughout redirect
As far as I know payment providers usually requires some kind of signed transaction token passed in the GET request. Such token is the being sent back in the GET, together with the redirections.
In such case, assign the session data to such transaction token generated in the site A, send the token with the redirection to the the site B and restore the session data, when the token is received with the redirect from site B.
Token must be signed, so site A and B must be sure, that it originates from the site A.
This requires additional controls in place, to prevent session hijack by someone, who is in a possession of such token: some kind of additional session validation must be in place, for example browser fingerprinting.
In such case there's no need to get the same session cookie.
How to tell PHP to use SameSite=None for cross-site cookies?
You can set the value to "None" using ini_set
. There's no check that the value is supported when that function is used:
ini_set('session.cookie_samesite', 'None');
session_start();
session_set_cookie_params
can also set it:
session_set_cookie_params(['samesite' => 'None']);
session_start();
The bug report for this to be supported in php.ini is here.
As @shrimpwagon said in a comment below, session.cookie_secure
must be true
for this to work. PHP doesn't require it, but browsers do.
PHP setting a Session-Cookie with samesite
As of PHP 7.3 you can throw an options array into set_cookie_params that supports SameSite.
session_set_cookie_params([
'lifetime' => $cookie_timeout,
'path' => '/',
'domain' => $cookie_domain,
'secure' => $session_secure,
'httponly' => $cookie_httponly,
'samesite' => 'Lax'
]);
On PHP <7.3 you can add the SameSite parameter adding it in the "path" param.
session_set_cookie_params([
'lifetime' => $cookie_timeout,
'path' => '/;SameSite=none', // <-- this way!
'domain' => $cookie_domain,
'secure' => $session_secure,
'httponly' => $cookie_httponly,
'samesite' => 'Lax'
]);
How to fix set SameSite cookie to none warning?
I'm also in a "trial and error" for that, but this answer from Google Chrome Labs' GitHub helped me a little. I defined it into my main file and it worked - well, for only one third-party domain. Still making tests, but I'm eager to update this answer with a better solution :)
I'm using PHP 7.4 now, and this syntax is working good (Sept 2020):
$cookie_options = array(
'expires' => time() + 60*60*24*30,
'path' => '/',
'domain' => '.example.com', // leading dot for compatibility or use subdomain
'secure' => true, // or false
'httponly' => false, // or false
'samesite' => 'None' // None || Lax || Strict
);
setcookie('cors-cookie', 'my-site-cookie', $cookie_options);
If you have PHP 7.2 or lower (as Robert's answered below):
setcookie('key', 'value', time()+(7*24*3600), "/; SameSite=None; Secure");
If your host is already updated to PHP 7.3, you can use (thanks to Mahn's comment):
setcookie('cookieName', 'cookieValue', [
'expires' => time()+(7*24*3600,
'path' => '/',
'domain' => 'example.com',
'samesite' => 'None',
'secure' => true,
'httponly' => true
]);
Another thing you can try to check the cookies, is to enable the flag below, which—in their own words—"will add console warning messages for every single cookie potentially affected by this change":
chrome://flags/#cookie-deprecation-messages
See the whole code at: https://github.com/GoogleChromeLabs/samesite-examples/blob/master/php.md, they have the code for same-site-cookies
too.
PHP setcookie function including samesite parameter does not work
When you set a cookie with SameSite=None
it'll be blocked (by the browser) unless it also has Secure
, which is omitted/set to false in the code snippets.
setcookie(
'_siteauth',
Crypt::encrypt(site()->password),
[
'expires' => time() + 86400,
'path' => '/',
'domain' => $_SERVER['HTTP_HOST'],
'samesite' => 'None',
'secure' => true,
]
);
Related Topics
Easiest Form Validation Library For PHP
Error: "Input Is Not Proper Utf-8, Indicate Encoding !" Using PHP'S Simplexml_Load_String
Do I Have to Guard Against SQL Injection If I Used a Dropdown
PHP: Writing a Simple Removeemoji Function
Best Way to Check If MySQL_Query Returned Any Results
Characters Allowed in PHP Array Keys
How to Remove a Variable from a PHP Session Array
How to Strip Trailing Zeros in PHP
PHP Getting Domain Name from Subdomain
PHP Redirection With Post Parameters
How to Use Sha1 Encryption Instead of Bcrypt in Laravel 4
How to Add Exif Data to an Image
Eloquent Orm Code Hinting in PHPstorm
PHP: How to Get File Creation Date
PHP Fatal Error: Class 'Pdo' Not Found