How to fix "set SameSite cookie to none" warning?

Question

I created a chrome extension and from popup.js I called PHP script (Using Xhttprequest) that reads the cookie. Like this:

$cookie_name = "mycookie";

if(isset($_COOKIE[$cookie_name]))
{
    echo $_COOKIE[$cookie_name];
}
else{
    echo "nocookie";
}

But I'm getting this warning at errors in extensions.

A cookie associated with a cross-site resource at (Here is my domain) was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I tried to create a cookie like this but it didn't help.

setcookie($cookie_name,$cookie_value, time() + 3600*24, "/;samesite=None ","mydomain.com", 1);

Following instructions from this question.

you can follow this example to solve this issue: https://stackoverflow.com/a/58723552/6215447 — Code Cooker, Nov 06 '19 at 05:54
You can use [a third-party library](https://github.com/delight-im/PHP-Cookie) to manage cookies on PHP 5.4+, providing a `setcookie` replacement that takes an additional argument `$sameSite`. The argument can be `None`, `Lax` or `Strict`. An OOP interface is available as well. — caw, Feb 02 '20 at 01:06

score 46 · Accepted Answer · edited Jul 11 '22 at 09:42

I'm also in a "trial and error" for that, but this answer from Google Chrome Labs' GitHub helped me a little. I defined it into my main file and it worked - well, for only one third-party domain. Still making tests, but I'm eager to update this answer with a better solution :)

I'm using PHP 7.4 now, and this syntax is working good (Sept 2020):

$cookie_options = array(
  'expires' => time() + 60*60*24*30,
  'path' => '/',
  'domain' => '.example.com', // leading dot for compatibility or use subdomain
  'secure' => true, // or false
  'httponly' => false, // or false
  'samesite' => 'None' // None || Lax || Strict
);

setcookie('cors-cookie', 'my-site-cookie', $cookie_options);

If you have PHP 7.2 or lower (as Robert's answered below):

setcookie('key', 'value', time()+(7*24*3600), "/; SameSite=None; Secure");

If your host is already updated to PHP 7.3, you can use (thanks to Mahn's comment):

setcookie('cookieName', 'cookieValue', [
  'expires' => time()+(7*24*3600,
  'path' => '/',
  'domain' => 'example.com',
  'samesite' => 'None',
  'secure' => true,
  'httponly' => true
]);

Another thing you can try to check the cookies, is to enable the flag below, which—in their own words—"will add console warning messages for every single cookie potentially affected by this change":

chrome://flags/#cookie-deprecation-messages

See the whole code at: https://github.com/GoogleChromeLabs/samesite-examples/blob/master/php.md, they have the code for same-site-cookies too.

I'm using PHP 7.3 and ried both (header and setcookie) but I still get the SameSite warning when I load a page with a PayPal script... I'm still on localhost though, does it make any difference? — LuBre, Feb 10 '20 at 16:34
@LuBre Hmm could be. I didn't test like this yet, but makes sense. Also, do your localhost have SSL? — Dimas Pante, Mar 02 '20 at 14:06
Sadly int's not a localhost issue, I experience this warning online too. I would say it's something on Paypal's side... — LuBre, Mar 03 '20 at 15:07
Hmm well... I think @vir us comment below fits your problem, probably PayPal isn't much concerned about it yet :P — Dimas Pante, Mar 04 '20 at 00:27
Proper 7.3 setcookie syntax example, since the example in the answer messed up the parameters: `setcookie('key', 'value', ['expires' => time()+(7*24*3600, 'path' => '/', 'domain' => 'yourdomain.com', 'samesite' => 'None', 'secure' => true, 'httponly' => true ]);` — Mahn, Sep 10 '20 at 17:54

score 33 · Answer 2 · answered Oct 14 '19 at 22:08

33

As the new feature comes, SameSite=None cookies must also be marked as Secure or they will be rejected.

One can find more information about the change on chromium updates and on this blog post

Note: not quite related directly to the question, but might be useful for others who landed here as it was my concern at first during development of my website:

if you are seeing the warning from question that lists some 3rd party sites (in my case it was google.com, huh) - that means they need to fix it and it's nothing to do with your site. Of course unless the warning mentions your site, in which case adding Secure should fix it.

answered Oct 14 '19 at 22:08

vir us

9,920
6
57
66

3

Thanks for this I couldn't fathom why my cookies were not being set. – Adam Jimenez Aug 07 '20 at 21:01
2

goddamn. I spend the whole day trying to figure out why samesite was not working in our Symfony project. turns out I needed the secure cookie attribute set to true as well. Thanks! – Bhavesh G Aug 28 '20 at 22:15

Robert Greene · Answer 3 · 2020-04-05T09:02:45.630

12

>= PHP 7.3

setcookie('key', 'value', ['samesite' => 'None', 'secure' => true]);

< PHP 7.3

exploit the path
setcookie('key', 'value', time()+(7*24*3600), "/; SameSite=None; Secure");

Emitting javascript

echo "<script>document.cookie('key=value; SameSite=None; Secure');</script>";

edited Apr 05 '20 at 09:02

answered Mar 17 '20 at 05:23

Robert Greene

151
1
5

1

Add a piece of description information about your answer – Lizesh Shakya Mar 17 '20 at 05:51
ok its the only answer on this page that actually works and is working in production :D – Robert Greene Mar 17 '20 at 16:31
1

From the doc, the array keys should be in lowercase : [link](https://www.php.net/manual/en/function.setcookie.php) – Worst Apr 01 '20 at 07:09
1

This worked for me in php 5 and joomla and chrome ! – Hayden Thring Apr 03 '20 at 01:28

score 2 · Answer 4 · answered Mar 19 '20 at 22:40

I ended up fixing our Ubuntu 18.04 / Apache 2.4.29 / PHP 7.2 install for Chrome 80 by installing mod_headers:

a2enmod headers

Adding the following directive to our Apache VirtualHost configurations:

Header edit Set-Cookie ^(.*)$ "$1; Secure; SameSite=None"

And restarting Apache:

service apache2 restart

In reviewing the docs (http://www.balkangreenfoundation.org/manual/en/mod/mod_headers.html) I noticed the "always" condition has certain situations where it does not work from the same pool of response headers. Thus not using "always" is what worked for me with PHP but the docs suggest that if you want to cover all your bases you could add the directive both with and without "always". I have not tested that.

score 1 · Answer 5 · answered Jun 11 '20 at 16:19

If you are experiencing the OP's problem where your cookies have been set using JavaScript - for example:

document.cookie = "my_cookie_name=my_cookie_value; expires=Thu, 11 Jun 2070 11:11:11 UTC; path=/";

you could instead use:

document.cookie = "my_cookie_name=my_cookie_value; expires=Thu, 11 Jun 2070 11:11:11 UTC; path=/; SameSite=None; Secure";

It worked for me. More info here.

Hailin Tan · Answer 6 · 2020-07-26T19:28:49.423

I am using both JavaScript Cookie and Java CookieUtil in my project, below settings solved my problem:

JavaScript Cookie

var d = new Date();
d.setTime(d.getTime() + (30*24*60*60*1000)); //keep cookie 30 days
var expires = "expires=" + d.toGMTString();         
document.cookie = "visitName" + "=Hailin;" + expires + ";path=/;SameSite=None;Secure"; //can set SameSite=Lax also

JAVA Cookie (set proxy_cookie_path in Nginx)

location / {
   proxy_pass http://96.xx.xx.34;
   proxy_intercept_errors on;
   #can set SameSite=None also
   proxy_cookie_path / "/;SameSite=Lax;secure";
   proxy_connect_timeout 600;
   proxy_read_timeout 600;
}

Check result in Firefox

Read more on https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

How to fix "set SameSite cookie to none" warning?

6 Answers6

Linked