Cookie “phpMyAdmin” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute.

[williamdes]

Describe the bug

Cookie “phpMyAdmin” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value,
without the “secure” attribute.
To know more about the “sameSite“ attribute,
read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Server configuration

• phpMyAdmin version: 5.1

Client configuration

• Browser: Waterfox latest
• Operating system: Ubuntu

[williamdes]

Set-Cookie: phpMyAdmin=d2bbe0430dfa6ebb81ffe4fc985b4451; path=/@phpmyadmin/theREALphpMyAdminREPO/; HttpOnly

Should be fixed by this diff

diff --git a/libraries/classes/Session.php b/libraries/classes/Session.php
index f68bad2495..3d1290d881 100644
--- a/libraries/classes/Session.php
+++ b/libraries/classes/Session.php
@@ -180,6 +180,8 @@ class Session
         ini_set('session.use_strict_mode', '1');
         // make the session cookie HttpOnly
         ini_set('session.cookie_httponly', '1');
+        // add SameSite to the session cookie
+        ini_set('session.cookie_samesite', $config->get('CookieSameSite'));
         // do not force transparent session ids
         ini_set('session.use_trans_sid', '0');

https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite (Available as of PHP 7.3.0.)

phpMyAdmin=d2bbe0430dfa6ebb81ffe4fc985b4451; path=/@phpmyadmin/theREALphpMyAdminREPO/; HttpOnly; SameSite=Strict

[MauricioFauth]

Related to #16316.

[MauricioFauth]

We have to make sure that it will work with PHP prior to version 7.3.0.

[williamdes]

We have to make sure that it will work with PHP prior to version 7.3.0.

I am not sure to understand what you mean, but for sure we will need to restrict the usage to PHP >= 7.3 by an if

[MauricioFauth]

I am not sure to understand what you mean, but for sure we will need to restrict the usage to PHP >= 7.3 by an if

That is what I meant.