Jump to content

setting samesite in php7.1.x


ajoo
 Share

Recommended Posts

Hi,

This is what I tried  since my cookie is set using session_set and get cookie params:

$cookieParams = session_get_cookie_params();
$cookieParams["domain"] = $cookieParams["domain"]+"; SameSite=None";

The I used this to set the cookie params using session_set_cookie_params but nogo.

How do you think I should inject this then ?

Thanks.

 

 

Link to comment
Share on other sites

	$session_name = 'sec_session_id'; 
        $secure = true; 
        $httponly = true; 
        ini_set('session.use_only_cookies', 1);
        $cookieParams = session_get_cookie_params(); 
	$cookieParams["domain"] = $cookieParams["domain"]."; SameSite=None";
        session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);   
        session_name($session_name); 
        session_start();

Here's the rest of it.

Link to comment
Share on other sites

chrome warnings are the same as in the previous message;

Request Header:

Quote

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3

Accept-Encoding:  gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Cache-Control: no-cache

Connection: keep-alive

Cookie: sec_session_id=bb76fff5de222aab7262f16c21d3b584

Host: noos-800-tnv-5564-test-project.sp.smiles.cloud

Pragma: no-cache

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: none

Sec-Fetch-User: ?1

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36

 

Response Header

Quote

Cache-Control:no-store, no-cache, must-revalidate

Connection:close

Content-Length:4333

Content-Security-Policy-Report-Only:default-src 'self'; img-src 'self' data: http:; script-src 'self' data: https://www.google.com/ https://ajax.googleapis.com/ https://www.gstatic.com/ https://noos-800-tnj-5565-test-project.sp.smiles.cloud/; report-uri https://noos-800-tnj-5565-test-project.sp.smiles.cloud/reports/reportcspviolation.php

Content-Type: text/html; charset=UTF-8

Date: Thu, 07 Nov 2019 10:29:12 GMT

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Pragma: no-cache

Server: Apache

 

image.thumb.png.263daaf09a58886f8c39ea5b1b53ccf5.png

 

image.png.0fbfcb8e26fc9a71afb5f78154e6e66d.png

 

Here's all the relevant information I think. The cookies in storage shows samesite as none which was earlier blank. The cookies under Network in devops shows samesite as blank. Why does domain and path shows as N/A?

This is how my site invokes the setting of the cookie on my index page.

if(!isset($_SESSION)) sess_start();

 and sess_start is the code that I posted in my earlier reply. 

Thanks ! 

 

 

Edited by ajoo
Link to comment
Share on other sites

Hi, 

I could have sworn that I posted the error messages but as rightly stated they are not there !😲 Sorry about that.

Here are the messages that I receive  (15 of them):

Quote

A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

A cookie associated with a cross-site resource at https://mail.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.


flogin.php:1 A cookie associated with a cross-site resource at https://mail-ads.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.


flogin.php:1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.


flogin.php:1 A cookie associated with a cross-site resource at https://drive.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

with different URLS all originating in google.

I get these messages in chrome after I deleted the cookies manually and also deleted all the rest in chrome from the settings. 

In FireFox however, I receive no such messages ??

Thanks !

 

 

Link to comment
Share on other sites

Sigh.

Quote

A cookie associated with a cross-site resource at http://google.com/

A cookie associated with a cross-site resource at https://mail.google.com/

A cookie associated with a cross-site resource at https://mail-ads.google.com/

A cookie associated with a cross-site resource at https://google.com/

A cookie associated with a cross-site resource at https://drive.google.com/

Do you control any of those domains?

Link to comment
Share on other sites

Hi, 

No I don't. I did read some posts where they said that these are to be fixed by google at their end but also quite a few which attempted to fix these "irritating" warnings. Hence I thought that I would try and make changes so that these won't appear. I think that the  missed error messages, at the very beginning, created a lot of confusion. 

So i do nothing at all and let google fix these as and when in some future version?

Thanks.

Link to comment
Share on other sites

This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.