Jump to content
ajoo

setting samesite in php7.1.x

Recommended Posts

Hi, 

In < PHP7.3, is it possible to set the session.cookie_samesite to "none' and secure to do away with the warning messages of chrome ?

Thanks.

 

Share this post


Link to post
Share on other sites

The cookie parameters are not validated, as far as I know. You can hijack the path or domain settings to inject a SameSite= value.

session.cookie_domain = ".example.com; SameSite=None"

 

Share this post


Link to post
Share on other sites

Hi,

This is what I tried  since my cookie is set using session_set and get cookie params:

$cookieParams = session_get_cookie_params();
$cookieParams["domain"] = $cookieParams["domain"]+"; SameSite=None";

The I used this to set the cookie params using session_set_cookie_params but nogo.

How do you think I should inject this then ?

Thanks.

 

 

Share this post


Link to post
Share on other sites

What does the + operator do?

Share this post


Link to post
Share on other sites

Oh Damn ! been working on JS last so many days !🤯

I'll get back. Thanks.

P.S. Same result with the "." operator. 😒

Edited by ajoo

Share this post


Link to post
Share on other sites

What's the rest of the code?

Share this post


Link to post
Share on other sites
	$session_name = 'sec_session_id'; 
        $secure = true; 
        $httponly = true; 
        ini_set('session.use_only_cookies', 1);
        $cookieParams = session_get_cookie_params(); 
	$cookieParams["domain"] = $cookieParams["domain"]."; SameSite=None";
        session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);   
        session_name($session_name); 
        session_start();

Here's the rest of it.

Share this post


Link to post
Share on other sites

Working for me.

What does your browser report for the Set-Cookie response header? What is the Chrome warning?

Share this post


Link to post
Share on other sites

chrome warnings are the same as in the previous message;

Request Header:

Quote

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3

Accept-Encoding:  gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Cache-Control: no-cache

Connection: keep-alive

Cookie: sec_session_id=bb76fff5de222aab7262f16c21d3b584

Host: noos-800-tnv-5564-test-project.sp.smiles.cloud

Pragma: no-cache

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: none

Sec-Fetch-User: ?1

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36

 

Response Header

Quote

Cache-Control:no-store, no-cache, must-revalidate

Connection:close

Content-Length:4333

Content-Security-Policy-Report-Only:default-src 'self'; img-src 'self' data: http:; script-src 'self' data: https://www.google.com/ https://ajax.googleapis.com/ https://www.gstatic.com/ https://noos-800-tnj-5565-test-project.sp.smiles.cloud/; report-uri https://noos-800-tnj-5565-test-project.sp.smiles.cloud/reports/reportcspviolation.php

Content-Type: text/html; charset=UTF-8

Date: Thu, 07 Nov 2019 10:29:12 GMT

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Pragma: no-cache

Server: Apache

 

image.thumb.png.263daaf09a58886f8c39ea5b1b53ccf5.png

 

image.png.0fbfcb8e26fc9a71afb5f78154e6e66d.png

 

Here's all the relevant information I think. The cookies in storage shows samesite as none which was earlier blank. The cookies under Network in devops shows samesite as blank. Why does domain and path shows as N/A?

This is how my site invokes the setting of the cookie on my index page.

if(!isset($_SESSION)) sess_start();

 and sess_start is the code that I posted in my earlier reply. 

Thanks ! 

 

 

Edited by ajoo

Share this post


Link to post
Share on other sites
17 minutes ago, ajoo said:

chrome warnings are the same as in the previous message;

I'm sure, but you never actually said what the warning is.

 

I don't see a Set-Cookie in the response. Delete the session cookie manually and try again.

Share this post


Link to post
Share on other sites

Hi, 

I could have sworn that I posted the error messages but as rightly stated they are not there !😲 Sorry about that.

Here are the messages that I receive  (15 of them):

Quote

A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

A cookie associated with a cross-site resource at https://mail.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.


flogin.php:1 A cookie associated with a cross-site resource at https://mail-ads.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.


flogin.php:1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.


flogin.php:1 A cookie associated with a cross-site resource at https://drive.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

with different URLS all originating in google.

I get these messages in chrome after I deleted the cookies manually and also deleted all the rest in chrome from the settings. 

In FireFox however, I receive no such messages ??

Thanks !

 

 

Share this post


Link to post
Share on other sites

Sigh.

Quote

A cookie associated with a cross-site resource at http://google.com/

A cookie associated with a cross-site resource at https://mail.google.com/

A cookie associated with a cross-site resource at https://mail-ads.google.com/

A cookie associated with a cross-site resource at https://google.com/

A cookie associated with a cross-site resource at https://drive.google.com/

Do you control any of those domains?

Share this post


Link to post
Share on other sites

Hi, 

No I don't. I did read some posts where they said that these are to be fixed by google at their end but also quite a few which attempted to fix these "irritating" warnings. Hence I thought that I would try and make changes so that these won't appear. I think that the  missed error messages, at the very beginning, created a lot of confusion. 

So i do nothing at all and let google fix these as and when in some future version?

Thanks.

Share this post


Link to post
Share on other sites

Yeah. Because they're not your problem, and there's nothing you can do about them.

  • Thanks 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.