0

I have a PHP application that runs on a wild car domain. (https://foo.bar.com).

If I load the PHP application in an iframe on bar.com or any instance of *.bar.com the application runs perfectly.

If I try and load the application in an iframe on my localhost (http://localhost/bar) The initial login page loads but it doesn't look like sessions are being set for me.

I've attempted the following so far:

header('Access-Control-Allow-Origin: *');
ini_set('session.cookie_samesite', 'None');
ini_set('session.cookie_secure', 'true');
session_set_cookie_params(["lifetime" =>SESSION_EXPIRE_TIME, "samesite" =>"None", "secure" => true]);

session_start();

but this doesn't seem to be working with the sessions. In the Chromes Application tab, I do see the PHPSESSID (foo.bar.com) that has secure checked but SameSite is blank. any extra guidance would be great.

Ancesteral
  • 109
  • 9
  • Is JavaScript involved at all, in a way that you are actually making cross-origin request? If not, then what do you want with `Access-Control-Allow-Origin`? – CBroe Jan 28 '22 at 08:30
  • _"that has secure checked but SameSite is blank"_ - what is your PHP version? This setting is available as of PHP 7.3.0. Assuming you are not using anything older than that, what happens when you clear all existing cookies, and start fresh? – CBroe Jan 28 '22 at 08:33
  • Hey, thanks for the responses. We are using Javascript which is why I have that enabled for now. We are using PHP 5.6 currently, is there a way to enable this for older versions of PHP? – Ancesteral Jan 28 '22 at 17:06
  • 1
    Then you will have to set the session cookie yourself, or manipulate it via some additional web server directives. https://stackoverflow.com/a/51128675/1427878 But the real problem to fix here would be that you still run an application on such a massively outdated PHP version, that has not even seen security fixes for years. – CBroe Jan 31 '22 at 07:17

0 Answers0