Samesite attribute for session cookie.#5874
Conversation
Added the function to set the samesite attribute to the session cookie
| | - Some cross-site usage is allowed. | ||
| | 'Strict' | ||
| | - The cookie is withheld with any cross-site usage. | ||
| | 'None' |
There was a problem hiding this comment.
I'm a little bit confused about the "None" option. I can't find it documented in the official php documentation - https://www.php.net/manual/en/function.setcookie.php
They seems to document only support for "Strict" and "Lax".
There was a problem hiding this comment.
A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None. For more detailshttps://www.chromestatus.com/feature/5088147346030592

There was a problem hiding this comment.
A future release of Chrome will only deliver cookies with cross-site requests if they are set with
SameSite=None. For more detailshttps://www.chromestatus.com/feature/5088147346030592
Yes , I'm familiar with this. However, I can't find anything about the "None" value. Nothing in the PHP RFC - https://wiki.php.net/rfc/same-site-cookie and nothing in the PHP Official Docs - https://www.php.net/manual/en/function.setcookie.php
That's why I'm confused :)
There was a problem hiding this comment.
A future release of Chrome will only deliver cookies with cross-site requests if they are set with
SameSite=None. For more detailshttps://www.chromestatus.com/feature/5088147346030592
Yes , I'm familiar with this. However, I can't find anything about the "None" value. Nothing in the PHP RFC - https://wiki.php.net/rfc/same-site-cookie and nothing in the PHP Official Docs - https://www.php.net/manual/en/function.setcookie.php
That's why I'm confused :)
Yes i know, i looked for this info too, but without result. Google said that will be required in April. So i think they will insert this info into the documentation
There was a problem hiding this comment.
Google chrome say that if you want set the cookie SameSite = "None" you have to set the config "cookie_secure" = TRUE.
A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.
|
OK, a few things ...
|
Thank you for your feedback.
|
| $this->_config['cookie_name'], | ||
| session_id(), | ||
| (empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']), | ||
| $this->_config['cookie_path'], |
There was a problem hiding this comment.
There's a way to send cookies without setcookie() - use header(), making it possible to make the feature non-dependant on the PHP version, which we strive to do. This will also solve the problem with SameSite=None, which just won't work via setcookie() PHP's doesn't support it.
How about making this line the following code?
But that may not be a good solution.
sprintf('%s"; samesite="%s', $this->_config['cookie_path'], $this->_config['sess_cookie_samesite']);|
This code does not work for me - I get: Line 166 is the new line in question: Tracing the code, the That is set up to populate Am I missing something? Shouldn't |
Same issue for me. I also patched the Moreover, waiting for an official patch I recommend you to create a MY_Session.php file to override the __construct method (which I already did for another purpose) |
|
This patch doesn't address issue of Safari iOS version 12.x bug https://bugs.webkit.org/show_bug.cgi?id=198181 when setting SameSite to 'None' actually is interpreted as 'Strict'. So for this specific iOS version SameSite attribute should not be applied. |
|
Ok, so I think this should be addressed as soon as we can. Here go my thoughts on it...
@OskarsOzols we can't implement a browser version-specific fix into CI's core... Upgrading the browser should fix it. |






Added the option to set the samesite attribute for the session cookie. Default is "Strict"