发表新帖
发表新帖

PHP setcookie “SameSite=Strict”?

后端 未结
关注
9 2145
旧时难觅i
旧时难觅i 2020-11-29 00:26

I recently read \"RFC 6265\" on the attribute \"Same Site\", I looked at some articles that talked about that in April 2016, \"same-site\" attribute has been implemented for

相关标签:
9条回答
  • 太阳男子
    2020-11-29 01:15

    Adding to the answer by Marty Aghajanyan (because apparently I can answer, but not yet comment)

    Doing it in Apache via mod_headers in conjunction with PHP was not working for me in Apache 2.4.29 (Ubuntu). In reviewing the docs (http://www.balkangreenfoundation.org/manual/en/mod/mod_headers.html) I noticed the "always" condition has certain situations where it does not work from the same pool of response headers. Thus the following worked for me to set the SameSite parameter. (Tho in my case I am setting None for the recent Chrome 80 update)

    Header edit Set-Cookie ^(.*)$ "$1; Secure; SameSite=None"

    The docs also suggest that if you want to cover all your bases you could add the directive both with and without "always", but I have not tested that.

    0 讨论(0)
  • 时光说笑
    2020-11-29 01:23

    According to this site, it seems it is a matter of PHP 7.3. As of the voting results, a more general extension to cookie-related functions is being implemented + there might be also a new key in php.ini file.

    But as Marc B already wrote, you can use header() function call instead, I would do it in some file with used for inclusion of other initial stuff.

    0 讨论(0)
  • 耶瑟儿~
    2020-11-29 01:26

    1. For PHP >= v7.3

    You can use the $options array to set the samesite value, for example:

    setcookie($name, $value, [
    'expires' => time() + 86400,
    'path' => '/',
    'domain' => 'domain.com',
    'secure' => true,
    'httponly' => true,
    'samesite' => 'None',
]);

    The value of the samesite element should be either None, Lax or Strict.

    Read more in the manual page.

    2. For PHP < v7.3

    You can use one of the following solutions/workarounds depending on your codebase/needs

    2.1 Setting SameSite cookies using Apache configuration

    You can add the following line to your Apache configuration

    Header always edit Set-Cookie (.*) "$1; SameSite=Lax"

    and this will update all your cookies with SameSite=Lax flag

    See more here: https://blog.giantgeek.com/?p=1872

    2.2 Setting SameSite cookies using Nginx configuration

    location / {
    # your usual config ...
    # hack, set all cookies to secure, httponly and samesite (strict or lax)
    proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
}

    Same here, this also will update all your cookies with SameSite=Lax flag

    See more here: https://serverfault.com/questions/849888/add-samesite-to-cookies-using-nginx-as-reverse-proxy

    2.3 Setting SameSite cookies using header method

    As we know cookies are just a header in HTTP request with the following structure

    Set-Cookie: key=value; path=/; domain=example.org; HttpOnly; SameSite=Lax

    so we can just set the cookies with header method

    header("Set-Cookie: key=value; path=/; domain=example.org; HttpOnly; SameSite=Lax");

    In fact, Symfony is not waiting for PHP 7.3 and already doing it under the hood, see here

    0 讨论(0)
 看不清?
提交回复
热议问题