Cookie “PHPSESSID” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”

[jasonc310771]

I am having issues with "SameSite" errors in Forefox.  The server is PHP Version 5.6.40

I get the error in firefox concole

Cookie “PHPSESSID” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”

In my code I have

if(isset($_COOKIE['session_id']))
            session_id($_COOKIE['session_id']);
        session_start();
        if(!isset($_COOKIE['session_id']))
            setcookie('session_id', session_id(), 0, '/', '.site.com');

But the error still shows.  This error shows in both in the main www.site.com and m.site.com subdomain.

How do I fix this please ?

[kicken]

All your cookie code there is redundant.  session_start manages its own cookie, you don't need to do it yourself.

You can control the SameSite value either using the configuration option session.cookie_samesite or the session_set_cookie_params function (before calling session_start).  Example:

session_set_cookie_params([
	'lifetime' => 0
	, 'path' => '/'
	, 'domain' => '.site.com'
	, 'secure' => true
	, 'httponly' => true
	, 'samesite' => 'Lax'
]):
session_start();

 

[Strider64]

Here a simple breakdown

 

$cookie_name = 'my_cookie';
$cookie_value = 'my_value';
$cookie_domain = 'www.example.com';
$cookie_lifetime = strtotime('+6 months');

$cookie_options = array(
    'expires' => $cookie_lifetime,
    'path' => '/',
    'domain' => $cookie_domain,
    'secure' => true,
    'httponly' => true,
    'samesite' => 'Lax'
);

setcookie($cookie_name, $cookie_value, $cookie_options);

a login example -

// Verify the username and password
if (verify_credentials($username, $password)) {
    // Generate a unique token
    $token = bin2hex(random_bytes(32));

    // Store the token in the user's database record (or other persistent storage mechanism)
    store_token_in_database($user_id, $token);

    // Set a cookie with the token and a 6-month expiration time
    setcookie('login_token', $token, [
        'expires' => strtotime('+6 months'),
        'path' => '/',
        'domain' => 'example.com',
        'secure' => true,
        'httponly' => true,
        'samesite' => 'Lax'
    ]);

    // Store the token in the user's session
    $_SESSION['login_token'] = $token;

    // Redirect the user to the dashboard or home page
    header('Location: dashboard.php');
    exit;
} else {
    // Invalid username or password
    $error = 'Invalid username or password';
}

 

[jasonc310771]

9 hours ago, kicken said:

All your cookie code there is redundant.  session_start manages its own cookie, you don't need to do it yourself.

You can control the SameSite value either using the configuration option session.cookie_samesite or the session_set_cookie_params function (before calling session_start).  Example:

session_set_cookie_params([
	'lifetime' => 0
	, 'path' => '/'
	, 'domain' => '.site.com'
	, 'secure' => true
	, 'httponly' => true
	, 'samesite' => 'Lax'
]):
session_start();

 

I added this to the start of the initial php script but get a 500 error.

[kicken]

There is a syntax error because I accidentally used a colon instead of semi-colon.

If you only get a generic 500 error for such errors, you might want to look into adjusting your development environment to show proper error messages so it's easier to resolve such problems.

[jasonc310771]

The cookie relates to Google Analytics. Do I set the Google Analytics cookie ?