skip to Main Content

the server is running PHP Version 5.4.45
Google Chrome will limit Cross-Site Tracking by default beginning February 4, 2020.
Which will cause problems for a Procurement Application that connections to our website via an iframe

I need to set the session cookie with SameSite=None; Secure;

Any suggestions will be greatly appreciated

Thanks

2

Answers


  1. For end-of-life versions of PHP like this, primarily you should upgrade as you are already exposing yourself to a number of known security vulnerabilities.

    However, to patch this, you will need to update the places where you may be using setcookie() to manually set the header, e.g.

    header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure');
    
    Login or Signup to reply.
  2. SameSite is available from php version >= 7.3, in php.ini and in session_set_cookie_params() if used in the form session_set_cookie_params(array $options): bool

    About php version < 7.3I honestly don’t know if usingheader()would override the options set by session_start(). it could, maybe I’ll try and update the answer.

    I did a simple test with php:5.6-cli (docker image, I think it was 5.6.40) and it seems to work as expected:

    session_start();
    header('Set-Cookie: ' . session_name() . '=' . session_id() . '; SameSite=None; Secure');
    

    By default this version of php set the session cookie only with key=value; path=/, using header() is overwritten, only one cookie is sent in the response, and only with SameSite=none; Secure (verified in Chromium cookies, and wireshark packets)

    However, I would recommend testing with the version of php you are using, the behavior may change.

    Personally I am thinking of not using session_start(), storing sessions in a db and using normal cookies set with header().

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search