the server is running PHP Version 5.4.45
Google Chrome will limit Cross-Site Tracking by default beginning February 4, 2020.
Which will cause problems for a Procurement Application that connections to our website via an iframe
I need to set the session cookie with SameSite=None; Secure;
Any suggestions will be greatly appreciated
Thanks
2
Answers
For end-of-life versions of PHP like this, primarily you should upgrade as you are already exposing yourself to a number of known security vulnerabilities.
However, to patch this, you will need to update the places where you may be using
setcookie()
to manually set the header, e.g.SameSite
is available from php version>= 7.3
, in php.ini and in session_set_cookie_params() if used in the formsession_set_cookie_params(array $options): bool
About php version
< 7.3
…I honestly don’t know if usingheader()
would override the options set bysession_start()
. it could, maybe I’ll try and update the answer.I did a simple test with
php:5.6-cli
(docker image, I think it was 5.6.40) and it seems to work as expected:By default this version of php set the session cookie only with
key=value; path=/
, usingheader()
is overwritten, only one cookie is sent in the response, and only withSameSite=none; Secure
(verified in Chromium cookies, and wireshark packets)However, I would recommend testing with the version of php you are using, the behavior may change.
Personally I am thinking of not usingsession_start()
, storing sessions in a db and using normal cookies set withheader()
.