How to tell PHP to use SameSite=None for cross-site cookies?

Question

According to the article here https://php.watch/articles/PHP-Samesite-cookies and PHP documenation at https://www.php.net/manual/en/session.security.ini.php, There are only

Answer 1

This method can be helpful for u

Add header's attributes on nginx below Secure + SameSite=None

location / {

proxy_cookie_path / "/; secure; SameSite=none";

}

It's working on me!

Answer 2

You can set the value to "None" using ini_set. There's no check that the value is supported when that function is used:

ini_set('session.cookie_samesite', 'None');
session_start();

session_set_cookie_params can also set it:

session_set_cookie_params(['samesite' => 'None']);
session_start();

The bug report for this to be supported in php.ini is here.

---

As @shrimpwagon said in a comment below, session.cookie_secure must be true for this to work. PHP doesn't require it, but browsers do.

Answer 3

ini_set('session.cookie_secure', "1"); ini_set('session.cookie_httponly', "1"); ini_set('session.cookie_samesite','None'); session_start();

php 7.4 samesite in phpinfo enter image description here

php 7.2 samesite does not exist in phpinfo enter image description here

$currentCookieParams = session_get_cookie_params();
$cookie_domain= 'your domain';
if (PHP_VERSION_ID >= 70300) {
session_set_cookie_params([
    'lifetime' =>  $currentCookieParams["lifetime"],
    'path' => '/',
    'domain' => $cookie_domain,
    'secure' => "1",
    'httponly' => "1",
    'samesite' => 'None',
]);
} else {
session_set_cookie_params(
    $currentCookieParams["lifetime"],
    '/; samesite=None',
    $cookie_domain,
    "1",
    "1"
);
}
session_start();

موفق باشید

Answer 4

Bad:

session.cookie_samesite=None

Correct:

session.cookie_samesite="None"

Explanation here

Answer 5

I am using cakephp 1.3. I need backend cookie at front-end that is not same domain. check in detail here.

https://stackoverflow.com/a/63481019/6128573

Answer 6

For PHP 5.6.40, there exists a workaround (the hack on path parameter) which does not involve rebuilding PHP.

If you have no problem rebuilding the PHP binary, I managed to port this feature from PHP 7.3 to PHP 5.6.40, and there is now a pull request. I needed it for our projects that aren't migrated yet. I know 5.6 branch is deprecated, I am just sharing.

Pull request: https://github.com/php/php-src/pull/6446

Our repo with the changes: https://github.com/Inducido/php-src/tree/PHP-5.6.40

Build tested on Debian 8.11

New Feature

Session: . Added support for the SameSite cookie directive for setcookie(), setrawcookie() and session_set_cookie_params(). Port from PHP 7.x branch they all have an "samesite" additionnal parameter at the very end (string)

prototypes:

bool setcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure[, bool httponly[, string samesite]]]]]]])
bool setrawcookie(string name [, string value [, int expires [, string path [, string domain [, bool secure[, bool httponly[, string samesite]]]]]]])
void session_set_cookie_params(int lifetime [, string path [, string domain [, bool secure[, bool httponly[, string samesite]]]]])
(session_get_cookie_params updated too)

Changes to INI File Handling

• session.cookie_samesite . New INI option to allow to set the SameSite directive for cookies. Defaults to "" (empty string), so no SameSite directive is set. Can be set to "Lax" or "Strict", or "None" which sets the respective SameSite directive. when using "None", make sure to include the quotes, as none is interpreted like false in ini files.

This solves the issue "This Set-Cookie was blocked due to user preferences" in Chrome.