PHP Setcookie "Samesite=Strict"

PHP setcookie SameSite=Strict ?

[Important update: As @caw pointed out below, this hack WILL BREAK in PHP 7.3. Stop using it now to save yourself from unpleasant surprises! Or at least wrap it in a PHP version check like if (PHP_VERSION_ID < 70300) { ... } else { ... }.]

It seems like you can abuse the "path" or "domain" parameter of PHP's "setcookie" function to sneak in the SameSite attribute because PHP does not escape semicolons:

setcookie('samesite-test', '1', 0, '/; samesite=strict');

Then PHP sends the following HTTP header:

Set-Cookie: samesite-test=1; path=/; samesite=strict

I've just discovered this a few minutes ago, so please do your own testing! I'm using PHP 7.1.11.

Maintain SameSite Strict Session Cookie Policy throughout redirect

As far as I know payment providers usually requires some kind of signed transaction token passed in the GET request. Such token is the being sent back in the GET, together with the redirections.

In such case, assign the session data to such transaction token generated in the site A, send the token with the redirection to the the site B and restore the session data, when the token is received with the redirect from site B.

Token must be signed, so site A and B must be sure, that it originates from the site A.

This requires additional controls in place, to prevent session hijack by someone, who is in a possession of such token: some kind of additional session validation must be in place, for example browser fingerprinting.

In such case there's no need to get the same session cookie.

How to tell PHP to use SameSite=None for cross-site cookies?

You can set the value to "None" using ini_set. There's no check that the value is supported when that function is used:

ini_set('session.cookie_samesite', 'None');
session_start();

session_set_cookie_params can also set it:

session_set_cookie_params(['samesite' => 'None']);
session_start();

The bug report for this to be supported in php.ini is here.

As @shrimpwagon said in a comment below, session.cookie_secure must be true for this to work. PHP doesn't require it, but browsers do.

PHP setting a Session-Cookie with samesite

As of PHP 7.3 you can throw an options array into set_cookie_params that supports SameSite.

session_set_cookie_params([
    'lifetime' => $cookie_timeout,
    'path' => '/',
    'domain' => $cookie_domain,
    'secure' => $session_secure,
    'httponly' => $cookie_httponly,
    'samesite' => 'Lax'
]);

On PHP <7.3 you can add the SameSite parameter adding it in the "path" param.

session_set_cookie_params([
    'lifetime' => $cookie_timeout,
    'path' => '/;SameSite=none', // <-- this way!
    'domain' => $cookie_domain,
    'secure' => $session_secure,
    'httponly' => $cookie_httponly,
    'samesite' => 'Lax'
]);

How to fix set SameSite cookie to none warning?

I'm also in a "trial and error" for that, but this answer from Google Chrome Labs' GitHub helped me a little. I defined it into my main file and it worked - well, for only one third-party domain. Still making tests, but I'm eager to update this answer with a better solution :)

I'm using PHP 7.4 now, and this syntax is working good (Sept 2020):

$cookie_options = array(
  'expires' => time() + 60*60*24*30,
  'path' => '/',
  'domain' => '.example.com', // leading dot for compatibility or use subdomain
  'secure' => true, // or false
  'httponly' => false, // or false
  'samesite' => 'None' // None || Lax || Strict
);

setcookie('cors-cookie', 'my-site-cookie', $cookie_options);

If you have PHP 7.2 or lower (as Robert's answered below):

setcookie('key', 'value', time()+(7*24*3600), "/; SameSite=None; Secure");

If your host is already updated to PHP 7.3, you can use (thanks to Mahn's comment):

setcookie('cookieName', 'cookieValue', [
  'expires' => time()+(7*24*3600,
  'path' => '/',
  'domain' => 'example.com',
  'samesite' => 'None',
  'secure' => true,
  'httponly' => true
]);

Another thing you can try to check the cookies, is to enable the flag below, which—in their own words—"will add console warning messages for every single cookie potentially affected by this change":

chrome://flags/#cookie-deprecation-messages

See the whole code at: https://github.com/GoogleChromeLabs/samesite-examples/blob/master/php.md, they have the code for same-site-cookies too.

PHP setcookie function including samesite parameter does not work

When you set a cookie with SameSite=None it'll be blocked (by the browser) unless it also has Secure, which is omitted/set to false in the code snippets.

setcookie(
    '_siteauth',
    Crypt::encrypt(site()->password), 
    [
        'expires' => time() + 86400,
        'path' => '/',
        'domain' => $_SERVER['HTTP_HOST'],
        'samesite' => 'None',
        'secure' => true,
    ]
);

Related Topics

Easiest Form Validation Library For PHP

Error: "Input Is Not Proper Utf-8, Indicate Encoding !" Using PHP'S Simplexml_Load_String

Do I Have to Guard Against SQL Injection If I Used a Dropdown

PHP: Writing a Simple Removeemoji Function

Best Way to Check If MySQL_Query Returned Any Results

Characters Allowed in PHP Array Keys

How to Remove a Variable from a PHP Session Array

How to Strip Trailing Zeros in PHP

PHP Getting Domain Name from Subdomain

PHP Redirection With Post Parameters

How to Use Sha1 Encryption Instead of Bcrypt in Laravel 4

Enabling the Openssl in Xampp

How to Add Exif Data to an Image

Eloquent Orm Code Hinting in PHPstorm

PHP: How to Get File Creation Date

PHP Fatal Error: Class 'Pdo' Not Found

Get Original Url Referer With PHP

How to Best Configure PHP to Handle a Utf-8 Website


Leave a reply



Submit