2

I have a fully working setcookie() php function running using these params...

<?php

setcookie(
  '_siteauth', 
  Crypt::encrypt(site()->password),
  time() + 86400,
  '/',
);

?>

The code above sets a cookie everytime with no issues!

But as soon as I attempt to use samesite option the cookie never sets... which is a problem.

I am not running this in a iFrame. I am testing this locally using dockers wordpress image, which I cant see being a problem.

At first after all the online reading, I thought it might be a PHP version conflict, but it failed to work in either tests pre/post PHP version 7.3.0.

After reading https://www.php.net/manual/en/function.setcookie.php

...it says options can be set as associative array including expires, path, domain, secure, httponly and samesite, but everytime I try this php setcookie method it does not set.

This is my locally dumped $_SERVER['HTTP_HOST'] result...

demo.local.mydomain.com

Here are all my local tested code attempts, using $_SERVER['HTTP_HOST'] for domain...

<?php

setcookie(
    '_siteauth',
    Crypt::encrypt(site()->password), 
    [
        'expires' => time() + 86400,
        'path' => '/',
        'domain' => $_SERVER['HTTP_HOST'],
        'samesite' => 'None',
        'secure' => false,
        'httponly' => false
    ]
);

?>

<?php

setcookie(
    '_siteauth',
    Crypt::encrypt(site()->password),
    time() + 86400,
    '/; SameSite=none'
);

?>

<?php

setcookie(
    '_siteauth',
    Crypt::encrypt(site()->password),
    [
        'expires' => time() + 86400,
        'path' => '/',
        'domain' => $_SERVER['HTTP_HOST'],
        'secure' => false,
        'httponly' => false,
        'samesite' => 'None'
    ]
);

?>

And none of these code examples save the _siteauth cookie when executed.

I've tried every variation of php version setcookie() including the samesite key and value but no cookie is saved.

The reason I am changing my previous setcookie() script is because there was a change early in 2020 in chrome with iframe cookie policies, defaulting to samesite Lax. So I need to force samesite None when setting my cookie.

https://web.dev/samesite-cookies-explained/
https://web.dev/samesite-cookie-recipes/

If anyone can see where I'm going wrong, help would be amazing.

Improve this question

1 Answer 1

Reset to default
2

When you set a cookie with SameSite=None it'll be blocked (by the browser) unless it also has Secure, which is omitted/set to false in the code snippets.

setcookie(
    '_siteauth',
    Crypt::encrypt(site()->password), 
    [
        'expires' => time() + 86400,
        'path' => '/',
        'domain' => $_SERVER['HTTP_HOST'],
        'samesite' => 'None',
        'secure' => true,
    ]
);
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks a million dude!!! It doesn't work locally, however your answer fixes my staging and production environment issues. I can work with this :-) Thank you for taking the time to help... saved me hours of attempting to debug.
If you've read docs that say SameSite=None must be Secure=true, please share so I can see what I missed thanks.
@joshmoto In the MDN page for Set-Cookie developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.