PHP setting a Session-Cookie with samesite

Question

I currently have a PHP script that sets the sametime cookie as follows:

    session_set_cookie_params($cookie_timeout, $cookieParams["path"], $cookie_domain, $session_secure, $cookie_httponly);

I want to add samesite="Lax" to the above statement by adding an extra parameter where ($cookie_samesite="Lax")

    session_set_cookie_params($cookie_timeout, $cookieParams["path"], $cookie_domain, $session_secure, $cookie_httponly, $cookie_samesite);

The new output of the statement would look like

1800, /, ".vasports.com.au", 1, 1, "Lax"

Is this the correct format for the samesite parameter?

NOTE: I do not have a PHP7.3 installed yet. Hence I can't test this properly. And I've referred to PHP doco for "session_set_cookie_params". I have also checked

PHP setcookie "SameSite=Strict"?

score 34 · Accepted Answer · edited Apr 02 '20 at 12:02

34

As of PHP 7.3 you can throw an options array into set_cookie_params that supports SameSite.

session_set_cookie_params([
    'lifetime' => $cookie_timeout,
    'path' => '/',
    'domain' => $cookie_domain,
    'secure' => $session_secure,
    'httponly' => $cookie_httponly,
    'samesite' => 'Lax'
]);

On PHP <7.3 you can add the SameSite parameter adding it in the "path" param.

session_set_cookie_params([
    'lifetime' => $cookie_timeout,
    'path' => '/;SameSite=none', // <-- this way!
    'domain' => $cookie_domain,
    'secure' => $session_secure,
    'httponly' => $cookie_httponly,
    'samesite' => 'Lax'
]);

edited Apr 02 '20 at 12:02

Anarcociclista

313
2
11

answered Nov 23 '19 at 15:38

Silver Shadow

364
2
6

4

he stated that he hasn't 7.3, so he looks for an answer in another prior Version – nbk Nov 23 '19 at 15:50
@nbk No, he said he was unable to test it because 7.3 wasn't installed yet. Below 7.3 it is not possible through cookie params, then you need to change the header. Also, this is the page I landed on after a search, so it may be for others as well and first getting the cookie params to then set them again is extra overhead. I think this is the best method for 7.3+ atm. – Silver Shadow Nov 23 '19 at 17:38
This is the answer I required. But I also finally upgraded to PHP7.3 and tested it to confirm it is working correctly. - Thanks for the response. – user3526609 Nov 26 '19 at 02:37
Colleagues, what about PHP <7.3 ? – Vsevolod Azovsky Mar 29 '20 at 08:54
In php<7.3 @session_set_cookie_params(0, '/;SameSite=Strict'); – user3270784 May 10 '20 at 11:01
2

I am on php 5.6 - to have cookies set in an iFrame I use this code to have my page working again on Chrome 84: session_set_cookie_params(3600*24, '/;SameSite=None', $_SERVER['HTTP_HOST'], true); Set secure to "true" is important. (better close browser and clear cache to test it) – bodomalo Aug 16 '20 at 13:28
How to set samesite attribute for PHPSESSID cookies? Above example creates a cookie with as 1P_JAR. – Rohit Jul 07 '23 at 11:54

score 6 · Answer 2 · answered Nov 19 '20 at 18:57

Adapted from SilverShadow answer, but fixing the syntax for php <7.3, since session_set_cookie_params() can't take an array as single parameter until preciselly 7.3, instead each parameter needs to be set. and autodetecting php version for the correct option so you can use it even if you later upgrade to 7.3:

// set as your own needs:
$maxlifetime = 0;
$path = '/';
$domain = '';
$secure = false;
$httponly = false;
$samesite = 'lax'; // here is what we need

if(PHP_VERSION_ID < 70300) {
    session_set_cookie_params($maxlifetime, $path.'; samesite='.$samesite, $domain, $secure, $httponly);
} else {
    // note I use `array()` instead of `[]` to allow support of php <5.4
    session_set_cookie_params(array(
        'lifetime' => $maxlifetime,
        'path' => $path,
        'domain' => $domain,
        'secure' => $secure,
        'httponly' => $httponly,
        'samesite' => $samesite
    ));
}

This should be the accepted answer since PHP < 7.3 does not support the alternative signature with an array of parameters. — Raphos, Apr 30 '21 at 10:28

user3526609 · Answer 3 · 2019-11-26T02:34:30.430

After some further research ...

Get current parameters first.
Then change the parameters as required, in this case [samesite]="Lax".
Set the cookie.

    $cookieParams = session_get_cookie_params();
    $cookieParams[samesite] = "Lax";
    session_set_cookie_params($cookieParams);

Check your 'set-cookie:' header and you should now see the text 'SameSite=Lax' at the end like this.

    set-cookie: ssid=b930bc608a911781f459a4f46b2c513d; expires=Wed, 16-Oct-2019 10:48:49 GMT; Max-Age=1800; path=/; secure; HttpOnly; SameSite=Lax

PHP setting a Session-Cookie with samesite

3 Answers3

Linked