ajoo Posted November 6, 2019 Share Posted November 6, 2019 Hi, In < PHP7.3, is it possible to set the session.cookie_samesite to "none' and secure to do away with the warning messages of chrome ? Thanks. Quote Link to comment Share on other sites More sharing options...
requinix Posted November 6, 2019 Share Posted November 6, 2019 The cookie parameters are not validated, as far as I know. You can hijack the path or domain settings to inject a SameSite= value. session.cookie_domain = ".example.com; SameSite=None" Quote Link to comment Share on other sites More sharing options...
ajoo Posted November 6, 2019 Author Share Posted November 6, 2019 Hi, This is what I tried since my cookie is set using session_set and get cookie params: $cookieParams = session_get_cookie_params(); $cookieParams["domain"] = $cookieParams["domain"]+"; SameSite=None"; The I used this to set the cookie params using session_set_cookie_params but nogo. How do you think I should inject this then ? Thanks. Quote Link to comment Share on other sites More sharing options...
requinix Posted November 6, 2019 Share Posted November 6, 2019 What does the + operator do? Quote Link to comment Share on other sites More sharing options...
ajoo Posted November 6, 2019 Author Share Posted November 6, 2019 (edited) Oh Damn ! been working on JS last so many days !🤯 I'll get back. Thanks. P.S. Same result with the "." operator. 😒 Edited November 6, 2019 by ajoo Quote Link to comment Share on other sites More sharing options...
requinix Posted November 6, 2019 Share Posted November 6, 2019 What's the rest of the code? Quote Link to comment Share on other sites More sharing options...
ajoo Posted November 6, 2019 Author Share Posted November 6, 2019 $session_name = 'sec_session_id'; $secure = true; $httponly = true; ini_set('session.use_only_cookies', 1); $cookieParams = session_get_cookie_params(); $cookieParams["domain"] = $cookieParams["domain"]."; SameSite=None"; session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); session_name($session_name); session_start(); Here's the rest of it. Quote Link to comment Share on other sites More sharing options...
requinix Posted November 6, 2019 Share Posted November 6, 2019 Working for me. What does your browser report for the Set-Cookie response header? What is the Chrome warning? Quote Link to comment Share on other sites More sharing options...
ajoo Posted November 7, 2019 Author Share Posted November 7, 2019 (edited) chrome warnings are the same as in the previous message; Request Header: Quote Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Connection: keep-alive Cookie: sec_session_id=bb76fff5de222aab7262f16c21d3b584 Host: noos-800-tnv-5564-test-project.sp.smiles.cloud Pragma: no-cache Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36 Response Header Quote Cache-Control:no-store, no-cache, must-revalidate Connection:close Content-Length:4333 Content-Security-Policy-Report-Only:default-src 'self'; img-src 'self' data: http:; script-src 'self' data: https://www.google.com/ https://ajax.googleapis.com/ https://www.gstatic.com/ https://noos-800-tnj-5565-test-project.sp.smiles.cloud/; report-uri https://noos-800-tnj-5565-test-project.sp.smiles.cloud/reports/reportcspviolation.php Content-Type: text/html; charset=UTF-8 Date: Thu, 07 Nov 2019 10:29:12 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Server: Apache Here's all the relevant information I think. The cookies in storage shows samesite as none which was earlier blank. The cookies under Network in devops shows samesite as blank. Why does domain and path shows as N/A? This is how my site invokes the setting of the cookie on my index page. if(!isset($_SESSION)) sess_start(); and sess_start is the code that I posted in my earlier reply. Thanks ! Edited November 7, 2019 by ajoo Quote Link to comment Share on other sites More sharing options...
requinix Posted November 7, 2019 Share Posted November 7, 2019 17 minutes ago, ajoo said: chrome warnings are the same as in the previous message; I'm sure, but you never actually said what the warning is. I don't see a Set-Cookie in the response. Delete the session cookie manually and try again. Quote Link to comment Share on other sites More sharing options...
ajoo Posted November 7, 2019 Author Share Posted November 7, 2019 Hi, I could have sworn that I posted the error messages but as rightly stated they are not there !😲 Sorry about that. Here are the messages that I receive (15 of them): Quote A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032. A cookie associated with a cross-site resource at https://mail.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032. flogin.php:1 A cookie associated with a cross-site resource at https://mail-ads.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032. flogin.php:1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032. flogin.php:1 A cookie associated with a cross-site resource at https://drive.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032. with different URLS all originating in google. I get these messages in chrome after I deleted the cookies manually and also deleted all the rest in chrome from the settings. In FireFox however, I receive no such messages ?? Thanks ! Quote Link to comment Share on other sites More sharing options...
requinix Posted November 7, 2019 Share Posted November 7, 2019 Sigh. Quote A cookie associated with a cross-site resource at http://google.com/ A cookie associated with a cross-site resource at https://mail.google.com/ A cookie associated with a cross-site resource at https://mail-ads.google.com/ A cookie associated with a cross-site resource at https://google.com/ A cookie associated with a cross-site resource at https://drive.google.com/ Do you control any of those domains? Quote Link to comment Share on other sites More sharing options...
ajoo Posted November 7, 2019 Author Share Posted November 7, 2019 Hi, No I don't. I did read some posts where they said that these are to be fixed by google at their end but also quite a few which attempted to fix these "irritating" warnings. Hence I thought that I would try and make changes so that these won't appear. I think that the missed error messages, at the very beginning, created a lot of confusion. So i do nothing at all and let google fix these as and when in some future version? Thanks. Quote Link to comment Share on other sites More sharing options...
requinix Posted November 7, 2019 Share Posted November 7, 2019 Yeah. Because they're not your problem, and there's nothing you can do about them. 1 Quote Link to comment Share on other sites More sharing options...
ajoo Posted November 7, 2019 Author Share Posted November 7, 2019 Thank you. ! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.