setting samesite in php7.1.x

[ajoo]

Hi, 

In < PHP7.3, is it possible to set the session.cookie_samesite to "none' and secure to do away with the warning messages of chrome ?

Thanks.

 

[requinix]

The cookie parameters are not validated, as far as I know. You can hijack the path or domain settings to inject a SameSite= value.

session.cookie_domain = ".example.com; SameSite=None"

 

[ajoo]

Hi,

This is what I tried  since my cookie is set using session_set and get cookie params:

$cookieParams = session_get_cookie_params();
$cookieParams["domain"] = $cookieParams["domain"]+"; SameSite=None";

The I used this to set the cookie params using session_set_cookie_params but nogo.

How do you think I should inject this then ?

Thanks.

 

 

[requinix]

What does the + operator do?

[ajoo]

Oh Damn ! been working on JS last so many days !🤯

I'll get back. Thanks.

P.S. Same result with the "." operator. 😒

Edited November 6, 2019 by ajoo

[requinix]

What's the rest of the code?

[ajoo]

	$session_name = 'sec_session_id'; 
        $secure = true; 
        $httponly = true; 
        ini_set('session.use_only_cookies', 1);
        $cookieParams = session_get_cookie_params(); 
	$cookieParams["domain"] = $cookieParams["domain"]."; SameSite=None";
        session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);   
        session_name($session_name); 
        session_start();

Here's the rest of it.

[requinix]

Working for me.

What does your browser report for the Set-Cookie response header? What is the Chrome warning?

[ajoo]

chrome warnings are the same as in the previous message;

Request Header:

Quote

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3

Accept-Encoding:  gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Cache-Control: no-cache

Connection: keep-alive

Cookie: sec_session_id=bb76fff5de222aab7262f16c21d3b584

Host: noos-800-tnv-5564-test-project.sp.smiles.cloud

Pragma: no-cache

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: none

Sec-Fetch-User: ?1

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36

 

Response Header

Quote

Cache-Control:no-store, no-cache, must-revalidate

Connection:close

Content-Length:4333

Content-Security-Policy-Report-Only:default-src 'self'; img-src 'self' data: http:; script-src 'self' data: https://www.google.com/ https://ajax.googleapis.com/ https://www.gstatic.com/ https://noos-800-tnj-5565-test-project.sp.smiles.cloud/; report-uri https://noos-800-tnj-5565-test-project.sp.smiles.cloud/reports/reportcspviolation.php

Content-Type: text/html; charset=UTF-8

Date: Thu, 07 Nov 2019 10:29:12 GMT

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Pragma: no-cache

Server: Apache

 

 

 

Here's all the relevant information I think. The cookies in storage shows samesite as none which was earlier blank. The cookies under Network in devops shows samesite as blank. Why does domain and path shows as N/A?

This is how my site invokes the setting of the cookie on my index page.

if(!isset($_SESSION)) sess_start();

 and sess_start is the code that I posted in my earlier reply. 

Thanks ! 

 

 

Edited November 7, 2019 by ajoo

[requinix]

17 minutes ago, ajoo said:

chrome warnings are the same as in the previous message;

I'm sure, but you never actually said what the warning is.

 

I don't see a Set-Cookie in the response. Delete the session cookie manually and try again.

[ajoo]

Hi, 

I could have sworn that I posted the error messages but as rightly stated they are not there !😲 Sorry about that.

Here are the messages that I receive  (15 of them):

Quote

A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

A cookie associated with a cross-site resource at https://mail.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

flogin.php:1 A cookie associated with a cross-site resource at https://mail-ads.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

flogin.php:1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

flogin.php:1 A cookie associated with a cross-site resource at https://drive.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

with different URLS all originating in google.

I get these messages in chrome after I deleted the cookies manually and also deleted all the rest in chrome from the settings. 

In FireFox however, I receive no such messages ??

Thanks !

 

 

[requinix]

Sigh.

Quote

A cookie associated with a cross-site resource at http://google.com/

A cookie associated with a cross-site resource at https://mail.google.com/

A cookie associated with a cross-site resource at https://mail-ads.google.com/

A cookie associated with a cross-site resource at https://google.com/

A cookie associated with a cross-site resource at https://drive.google.com/

Do you control any of those domains?

[ajoo]

Hi, 

No I don't. I did read some posts where they said that these are to be fixed by google at their end but also quite a few which attempted to fix these "irritating" warnings. Hence I thought that I would try and make changes so that these won't appear. I think that the  missed error messages, at the very beginning, created a lot of confusion. 

So i do nothing at all and let google fix these as and when in some future version?

Thanks.

[requinix]

Yeah. Because they're not your problem, and there's nothing you can do about them.

[ajoo]

Thank you. !