Jump to content

setting samesite in php7.1.x


ajoo

Recommended Posts

Hi,

This is what I tried  since my cookie is set using session_set and get cookie params:

$cookieParams = session_get_cookie_params();
$cookieParams["domain"] = $cookieParams["domain"]+"; SameSite=None";

The I used this to set the cookie params using session_set_cookie_params but nogo.

How do you think I should inject this then ?

Thanks.

 

 

Link to comment
Share on other sites

	$session_name = 'sec_session_id'; 
        $secure = true; 
        $httponly = true; 
        ini_set('session.use_only_cookies', 1);
        $cookieParams = session_get_cookie_params(); 
	$cookieParams["domain"] = $cookieParams["domain"]."; SameSite=None";
        session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);   
        session_name($session_name); 
        session_start();

Here's the rest of it.

Link to comment
Share on other sites

chrome warnings are the same as in the previous message;

Request Header:

Quote

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3

Accept-Encoding:  gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Cache-Control: no-cache

Connection: keep-alive

Cookie: sec_session_id=bb76fff5de222aab7262f16c21d3b584

Host: noos-800-tnv-5564-test-project.sp.smiles.cloud

Pragma: no-cache

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: none

Sec-Fetch-User: ?1

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36

 

Response Header

Quote

Cache-Control:no-store, no-cache, must-revalidate

Connection:close

Content-Length:4333

Content-Security-Policy-Report-Only:default-src 'self'; img-src 'self' data: http:; script-src 'self' data: https://www.google.com/ https://ajax.googleapis.com/ https://www.gstatic.com/ https://noos-800-tnj-5565-test-project.sp.smiles.cloud/; report-uri https://noos-800-tnj-5565-test-project.sp.smiles.cloud/reports/reportcspviolation.php

Content-Type: text/html; charset=UTF-8

Date: Thu, 07 Nov 2019 10:29:12 GMT

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Pragma: no-cache

Server: Apache

 

image.thumb.png.263daaf09a58886f8c39ea5b1b53ccf5.png

 

image.png.0fbfcb8e26fc9a71afb5f78154e6e66d.png

 

Here's all the relevant information I think. The cookies in storage shows samesite as none which was earlier blank. The cookies under Network in devops shows samesite as blank. Why does domain and path shows as N/A?

This is how my site invokes the setting of the cookie on my index page.

if(!isset($_SESSION)) sess_start();

 and sess_start is the code that I posted in my earlier reply. 

Thanks ! 

 

 

Edited by ajoo
Link to comment
Share on other sites

Hi, 

I could have sworn that I posted the error messages but as rightly stated they are not there !😲 Sorry about that.

Here are the messages that I receive  (15 of them):

Quote

A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

A cookie associated with a cross-site resource at https://mail.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.


flogin.php:1 A cookie associated with a cross-site resource at https://mail-ads.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.


flogin.php:1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.


flogin.php:1 A cookie associated with a cross-site resource at https://drive.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

with different URLS all originating in google.

I get these messages in chrome after I deleted the cookies manually and also deleted all the rest in chrome from the settings. 

In FireFox however, I receive no such messages ??

Thanks !

 

 

Link to comment
Share on other sites

Sigh.

Quote

A cookie associated with a cross-site resource at http://google.com/

A cookie associated with a cross-site resource at https://mail.google.com/

A cookie associated with a cross-site resource at https://mail-ads.google.com/

A cookie associated with a cross-site resource at https://google.com/

A cookie associated with a cross-site resource at https://drive.google.com/

Do you control any of those domains?

Link to comment
Share on other sites

Hi, 

No I don't. I did read some posts where they said that these are to be fixed by google at their end but also quite a few which attempted to fix these "irritating" warnings. Hence I thought that I would try and make changes so that these won't appear. I think that the  missed error messages, at the very beginning, created a lot of confusion. 

So i do nothing at all and let google fix these as and when in some future version?

Thanks.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.