How to fix set SameSite cookie to none warning

Question

I created a chrome extension and from popup js I called PHP script  Using Xhttprequest  that reads the cookie  Like this    cookie name    mycookie    if isset   COOKIE  cookie name          echo   COOKIE  cookie name     else      echo  nocookie       But I m getting this warning at errors in extensions      A cookie associated with a cross-site resource at  Here is my domain  was set without the SameSite attribute  A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite None and Secure  You can review cookies in developer tools under Application Storage Cookies and see more details at https   www chromestatus com feature 5088147346030592 and https   www chromestatus com feature 5633521622188032    I tried to create a cookie like this but it didn t help   setcookie  cookie name  cookie value  time     3600 24     samesite None    mydomain com   1     Following instructions from this question

User · Answer

I am using both JavaScript Cookie and Java CookieUtil in my project, below settings solved my problem:

JavaScript Cookie

var d = new Date();
d.setTime(d.getTime() + (30*24*60*60*1000)); //keep cookie 30 days
var expires = "expires=" + d.toGMTString();         
document.cookie = "visitName" + "=Hailin;" + expires + ";path=/;SameSite=None;Secure"; //can set SameSite=Lax also

JAVA Cookie (set proxy_cookie_path in Nginx)

location / {
   proxy_pass http://96.xx.xx.34;
   proxy_intercept_errors on;
   #can set SameSite=None also
   proxy_cookie_path / "/;SameSite=Lax;secure";
   proxy_connect_timeout 600;
   proxy_read_timeout 600;
}

Check result in Firefox

Read more on https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

User · Answer

As the new feature comes  SameSite None cookies must also be marked as Secure or they will be rejected   One can find more information about the change on chromium updates and on this blog post  Note  not quite related directly to the question  but might be useful for others who landed here as it was my concern at first during development of my website    if you are seeing the warning from question that lists some 3rd party sites  in my case it was google com  huh  - that means they need to fix it and it s nothing to do with your site  Of course unless the warning mentions your site  in which case adding Secure should fix it

User · Answer

I m also in a  quot trial and error quot  for that  but this answer from Google Chrome Labs  Github helped me a little  I defined it into my main file and it worked - well  for only one third-party domain  Still making tests  but I m eager to update this answer with a better solution    EDIT  I m using PHP 7 4 now  and this syntax is working good  Sept 2020    cookie options   array     expires    gt  time     60 60 24 30     path    gt          domain    gt    domain com      leading dot for compatibility or use subdomain    secure    gt  true     or false    httponly    gt  false     or false    samesite    gt   None     None    Lax    Strict     setcookie  cors-cookie    my-site-cookie    cookie options     If you have PHP 7 2 or lower  as Robert s answered below   setcookie  key    value   time    7 24 3600    quot    SameSite None  Secure quot    If your host is already updated to PHP 7 3  you can use  thanks to Mahn s comment   setcookie  cookieName    cookieValue        expires    gt  time    7 24 3600     path    gt          domain    gt   domain com      samesite    gt   None      secure    gt  true     httponly    gt  true      Another thing you can try to check the cookies  is to enable the flag below  which   in their own words    quot will add console warning messages for every single cookie potentially affected by this change quot   chrome   flags  cookie-deprecation-messages See the whole code at  https   github com GoogleChromeLabs samesite-examples blob master php md  they have the code for same-site-cookies too

User · Answer

gt   PHP 7 3  setcookie  key    value     samesite    gt   None    secure    gt  true      lt  PHP 7 3  exploit the path setcookie  key    value   time    7 24 3600       SameSite None  Secure     Emitting javascript  echo   lt script gt document cookie  key value  SameSite None  Secure    lt  script gt

User · Answer

For those can not create PHP session and working with live domain at local  You should delete live sites secure cookie first  Full answer   https   stackoverflow com a 64073275 1067434

User · Answer

I ended up fixing our Ubuntu 18 04   Apache 2 4 29   PHP 7 2 install for Chrome 80 by installing mod headers   a2enmod headers   Adding the following directive to our Apache VirtualHost configurations   Header edit Set-Cookie          1  Secure  SameSite None    And restarting Apache    service apache2 restart   In reviewing the docs  http   www balkangreenfoundation org manual en mod mod headers html  I noticed the  always  condition has certain situations where it does not work from the same pool of response headers  Thus not using  always  is what worked for me with PHP but the docs suggest that if you want to cover all your bases you could add the directive both with and without  always   I have not tested that

User · Answer

If you are experiencing the OP s problem where your cookies have been set using JavaScript - for example   document cookie    my cookie name my cookie value  expires Thu  11 Jun 2070 11 11 11 UTC  path       you could instead use   document cookie    my cookie name my cookie value  expires Thu  11 Jun 2070 11 11 11 UTC  path    SameSite None  Secure     It worked for me  More info here

[php] How to fix "set SameSite cookie to none" warning?

Examples related to php

Examples related to cookies