cakePHP set Cookies for SameSite Attribute. But I can't find it in the Code/track it down

Question

I'm still becoming a developer. First of all I can't show any code related to this problem because I'm not allowed to do so...

With the new cookie policy from Chrome (and others) the SameSite attribute must be set to None.

My problem is, that I can't find any code where the cookies are set. It comes from a server. I searched the git repositories of the company I'm currently at. I searched the internet for every solution possible. The problem is finding the right place to put it in. The code is written in php which I haven't learned so far.

The said cookie comes from another website and I unable track it down.

What version of CakePHP are you using? CakePHP 2 has Session Cookies defined in `App/Config/core.php`. — UncaAlby, Dec 06 '19 at 21:52
I'd suggest taking a look at https://web.dev/samesite-cookies-explained You should set a `SameSite` value for your cookies, but `SameSite=None; Secure` is **only** required if you need cookies available in a third-party / cross-site context. If the cookies are only intended for visitors on your site, you should be looking at `SameSite=Lax` or `SameSite=Strict`. — rowan_m, Dec 07 '19 at 23:43
Well the code is really weird (not mine obviously). So there is no folder containing the cookie creation. And I get the warning on the site with the 'SameSite' attribute. It seems that the server ('cdn') is sending it to the website and the error occurs — Buridius, Dec 09 '19 at 07:17
`It seems that the server ('cdn') is sending it to the website` - what does this mean? Maybe you should back up a bit - how do you know your site sets cookies? What CDN are you referring to? [PHP uses `setcookie()`](https://www.php.net/manual/en/function.setcookie.php) to set cookies, so if you grep your sources for that you will find wherever CakePHP does that. — Don't Panic, Dec 26 '19 at 10:35

score 4 · Answer 1 · answered Mar 11 '20 at 13:19

4

Cake 3.5.8

In your config/app.php add the following lines into the Session['ini'] section:

'Session' => [
        'ini' => [
           'session.cookie_samesite' => 'None',
           'session.cookie_secure' => true
       ]
],

answered Mar 11 '20 at 13:19

Yurii Kotliar

93
6

Perfect ! Just be sure to always use httpS after that https://stackoverflow.com/a/28386688/2152973 – François Breton Apr 21 '23 at 13:00

score 0 · Answer 2 · answered Aug 19 '20 at 06:16

I am using cakephp 1.3. I need backend cookie at front-end that is not same domain. As of other solution not worked then I use my code. I created new cookie after login. Then, on front-end I used this cookie as backend login check and done my stuf.

header("Set-Cookie: admin_login= ".$_SESSION['Auth']['User']['id']."; path=/; ".$_SERVER['HTTP_HOST']."; HttpOnly; SameSite=None; Secure");

score 0 · Answer 3 · answered Jul 14 '22 at 11:21

0

I have managed to hack this using the following in CakePHP 3.8.13 and PHP 7.2

    $this->Cookie->setConfig([
        'path' =>  '/; SameSite=Lax',
        'expires' => '+180 days',
        'httpOnly' => \FALSE
    ]);

answered Jul 14 '22 at 11:21

thanassis

691
5
11

cakePHP set Cookies for SameSite Attribute. But I can't find it in the Code/track it down

3 Answers3

Linked