19

I looked at the console and noticed these warnings

A cookie associated with a cross-site resource at http://google.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

How to solve it?

Tedinoz
  • 5,911
  • 3
  • 25
  • 35
Tiago
  • 797
  • 1
  • 10
  • 23
  • https://medium.com/@PeterNagyJob/how-did-i-waste-6-hours-finding-out-all-about-same-site-cookies-82d75062ede2 – EGC Oct 03 '19 at 02:00
  • Refer this : https://web.dev/samesite-cookies-explained It probably has to do with your domain name and TLD. – vS12 Oct 03 '19 at 02:01
  • @vS12 Would it add this at the beginning of my code? https://github.com/GoogleChromeLabs/samesite-examples/blob/master/php.md – Tiago Oct 03 '19 at 02:04
  • I guess so, because it's set in the headers of the request. – vS12 Oct 03 '19 at 02:33
  • Minor text edit for clarity – Tedinoz Oct 03 '19 at 02:50
  • @vS12 I put at the beginning of the file, still the error continues :( – Tiago Oct 03 '19 at 02:53
  • @Tiago - not an expert in php, check this answer - as they discuss on how to deal with this in php. https://stackoverflow.com/questions/39750906/php-setcookie-samesite-strict – vS12 Oct 03 '19 at 02:57
  • Chrome is showing this error in the dev tools console in every web site I visit. – Tom Shaw Oct 03 '19 at 03:41
  • None of the answers will work unless the external resources that you use, are set with `SameSite=None` from their source. This can only be added by the developers of those resources with access to the code or server that their cookies are being set from. See: https://github.com/GoogleChromeLabs/samesite-examples/issues/4#issuecomment-548598318 – Mike Kormendy Dec 08 '19 at 23:35

3 Answers3

11

A solution that worked for me:

If you are using PHP, add this line to the beginning 

header('Set-Cookie: cross-site-cookie=name; SameSite=None; Secure');

Update Here is a useful resource including examples in JavaScript, Node.js, PHP, and Python
https://github.com/GoogleChromeLabs/samesite-examples
Josh Stovall
  • 434
  • 4
  • 9
  • 4
    Still continues. I put the code at the beginning of the index.php file and still the errors continue. – Tiago Oct 05 '19 at 13:55
  • This will not work for external resources that have not altered their setting of cookies. See https://github.com/GoogleChromeLabs/samesite-examples/issues/4#issuecomment-548598318 – Mike Kormendy Dec 08 '19 at 23:40
5

There's nothing you can do until Google's developers/admins (and developers/admins of other external resources) modify their scripts/servers to include the necessary cookies settings to the cookies they generate when your website includes them. See here more more info:

https://github.com/GoogleChromeLabs/samesite-examples/issues/4#issuecomment-548598318

If you are debugging your website, you can temporarily ignore those entries in Chrome's developer tools console by adding this filter to the filter box:

-SameSite=None

For example:

Example of -SameSite=None filter in Chrome's developer tools console

Mike Kormendy
  • 3,389
  • 2
  • 24
  • 21
1

Does your .htaccess file contain a header unset cookie code? and you use cdn and its cache like cloudflare.

If so, just delete the code in the htaccess

Hans Ganteng
  • 179
  • 1
  • 4
  • Hello, I do not use cloudflare. What can it be? – Tiago Oct 03 '19 at 17:19
  • I think this link is best answer for this https://stackoverflow.com/questions/24129201/add-secure-and-httponly-flags-to-every-set-cookie-response-in-apache-httpd – Hans Ganteng Oct 03 '19 at 17:50
  • 1
    See if I get it right. Inside my htacess I add this line `Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"`? – Tiago Oct 03 '19 at 18:14