I created a chrome extension and from popup.js I called PHP script (Using Xhttprequest) that reads the cookie. Like this:
$cookie_name = "mycookie";
if(isset($_COOKIE[$cookie_name]))
{
echo $_COOKIE[$cookie_name];
}
else{
echo "nocookie";
}
But I'm getting this warning at errors in extensions.
A cookie associated with a cross-site resource at (Here is my domain) was set without the
SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=None
andSecure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
I tried to create a cookie like this but it didn't help.
setcookie($cookie_name,$cookie_value, time() + 3600*24, "/;samesite=None ","mydomain.com", 1);
Following instructions from this question.
As the new feature comes, SameSite=None
cookies must also be marked as Secure
or they will be rejected.
One can find more information about the change on chromium updates and on this blog post
Note: not quite related directly to the question, but might be useful for others who landed here as it was my concern at first during development of my website:
if you are seeing the warning from question that lists some 3rd party sites (in my case it was google.com, huh) - that means they need to fix it and it's nothing to do with your site. Of course unless the warning mentions your site, in which case adding Secure
should fix it.
>= PHP 7.3
setcookie('key', 'value', ['samesite' => 'None', 'secure' => true]);
< PHP 7.3
exploit the path
setcookie('key', 'value', time()+(7*24*3600), "/; SameSite=None; Secure");
Emitting javascript
echo "<script>document.cookie('key=value; SameSite=None; Secure');</script>";
For those can not create PHP session and working with live domain at local. You should delete live sites secure cookie first.
Full answer ; https://stackoverflow.com/a/64073275/1067434
I ended up fixing our Ubuntu 18.04 / Apache 2.4.29 / PHP 7.2 install for Chrome 80 by installing mod_headers:
a2enmod headers
Adding the following directive to our Apache VirtualHost configurations:
Header edit Set-Cookie ^(.*)$ "$1; Secure; SameSite=None"
And restarting Apache:
service apache2 restart
In reviewing the docs (http://www.balkangreenfoundation.org/manual/en/mod/mod_headers.html) I noticed the "always" condition has certain situations where it does not work from the same pool of response headers. Thus not using "always" is what worked for me with PHP but the docs suggest that if you want to cover all your bases you could add the directive both with and without "always". I have not tested that.
If you are experiencing the OP's problem where your cookies have been set using JavaScript - for example:
document.cookie = "my_cookie_name=my_cookie_value; expires=Thu, 11 Jun 2070 11:11:11 UTC; path=/";
you could instead use:
document.cookie = "my_cookie_name=my_cookie_value; expires=Thu, 11 Jun 2070 11:11:11 UTC; path=/; SameSite=None; Secure";
It worked for me. More info here.
I am using both JavaScript Cookie and Java CookieUtil in my project, below settings solved my problem:
JavaScript Cookie
var d = new Date();
d.setTime(d.getTime() + (30*24*60*60*1000)); //keep cookie 30 days
var expires = "expires=" + d.toGMTString();
document.cookie = "visitName" + "=Hailin;" + expires + ";path=/;SameSite=None;Secure"; //can set SameSite=Lax also
JAVA Cookie (set proxy_cookie_path in Nginx)
location / {
proxy_pass http://96.xx.xx.34;
proxy_intercept_errors on;
#can set SameSite=None also
proxy_cookie_path / "/;SameSite=Lax;secure";
proxy_connect_timeout 600;
proxy_read_timeout 600;
}
Read more on https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Source: Stackoverflow.com