SameSite=None for cross-site cookies in HTTPS
335 views
Skip to first unread message
Sammy Garcia
Apr 9, 2020, 7:05:46 AM4/9/20
to jelix-fr
I'm using PHP 7.3 and Jelix 1.6.24 to authenticate an app (https://website2.com).
I'm embedding https://website2.com into https://website1.com via an iframe.
It was working well until recently when Chrome changed its security policy requiring cookie SameSite set to None.
My https app has 2 cookies PHPSESSID and HASH_PHPSESSID.
To set SameSite to None I went into jelix/core/jSession.class.php and added session_set_cookie_params(['samesite' => 'None', 'secure' => true]); beforesession_start();.
As a result, in app cookie PHPSESSID is correctly defined (Secure=True | SameSite = None). However, I can't get HASH_PHPSESSID to be set the same (Secure=True | SameSite = )!
Any idea how to handle this in https?
Laurent Jouanneau
Apr 10, 2020, 9:00:42 AM4/10/20
to jeli...@googlegroups.com
Hi Sammy
Le 09/04/2020 à 13:05, Sammy Garcia a écrit :
> 0
> <https://stackoverflow.com/posts/60967686/timeline>
>
> I'm embedding https://website2.com <https://website2.com/> into
> https://website1.com <https://website1.com/> via an iframe.
set SameSite, Secure and httpOnly :
https://github.com/jelix/jelix/commit/80a29b549271379c47b60ec1a8579a1e09eaa586
It will be released in Jelix 1.6.28.
>
> As a result, in app cookie PHPSESSID is correctly defined (Secure=True |
> SameSite = None). However, I can't get HASH_PHPSESSID to be set the same
> (Secure=True | SameSite = )!
>
> Any idea how to handle this in https?
What is this cookie HASH_PHPSESSID? This is a cookie you created
yourself in your application, right? Google tells me almost nothing
about HASH_PHPSESSID.
Laurent
Le 09/04/2020 à 13:05, Sammy Garcia a écrit :
> 0
> <https://stackoverflow.com/posts/60967686/timeline>
>
> I'm using PHP 7.3 and Jelix 1.6.24 to authenticate an app
> (https://website2.com <https://website2.com/>).
> I'm using PHP 7.3 and Jelix 1.6.24 to authenticate an app
>
> I'm embedding https://website2.com <https://website2.com/> into
> https://website1.com <https://website1.com/> via an iframe.
>
> It was working well until recently when Chrome changed its security
> policy requiring cookie SameSite set to None.
>
> My https app has 2 cookies PHPSESSID and HASH_PHPSESSID.
>
> To set SameSite to None I went into jelix/core/jSession.class.php and
> added session_set_cookie_params(['samesite' => 'None', 'secure' =>
> true]); before|session_start();
Thanks for report and your proposal. I implemented the possibility to
> It was working well until recently when Chrome changed its security
> policy requiring cookie SameSite set to None.
>
> My https app has 2 cookies PHPSESSID and HASH_PHPSESSID.
>
> To set SameSite to None I went into jelix/core/jSession.class.php and
> added session_set_cookie_params(['samesite' => 'None', 'secure' =>
> true]); before|session_start();
set SameSite, Secure and httpOnly :
https://github.com/jelix/jelix/commit/80a29b549271379c47b60ec1a8579a1e09eaa586
It will be released in Jelix 1.6.28.
>
> As a result, in app cookie PHPSESSID is correctly defined (Secure=True |
> SameSite = None). However, I can't get HASH_PHPSESSID to be set the same
> (Secure=True | SameSite = )!
>
> Any idea how to handle this in https?
yourself in your application, right? Google tells me almost nothing
about HASH_PHPSESSID.
Laurent
Sammy Garcia
Apr 14, 2020, 6:30:03 AM4/14/20
to jelix-fr
Thanks Laurent,
Ok that's odd then, I thought HASH_PHPSESSID was something handled by Jelix. I use Apache, https configured. It must be somewhere there then... Can't see where at the moment though.
Cheers
Reply all
Reply to author
Forward
0 new messages