Extend Cookie Support for SameSite=None, Secure

[ganeshkarki]

• Laravel Version: 5.5

Description:

Google introduces new Chrome policy, marking all Cookie without samesite flag to 'strict' by default. If you want to allow third party cookies you must set samesite flag to none.

For cookie related logic laravel uses symfony/http-foundation and they already have released the support for it. I am not sure if its good idea or not, but can we update the composer.json to use proper version of htttp-foundation to extend the same support to laravel too?

Symfony Ticket: symfony/symfony#31475
For symfony/http-foundation, the version is 3.4.28

Please consider change like this:

//composer.json
"require": {
    ...
    "symfony/http-foundation": "~3.4.28",
   ...
},

[driesvints]

Hey there,

Unfortunately we don't support this version anymore. Please check out our support policy on which versions we are currently supporting. Can you please try to upgrade to the latest version and see if your problem persists? We'll help you out and re-open this issue if so.

Thanks!

[stzahi]

Inside config/session.php
You can inject it into the cookie through the path argument.
'path' => '/;samesite=none',

Another thing is you must make sure that
'secure' => true

[Ardakilic]

Thanks @stzahi , your trick works nicely even on Laravel 4!

However, when I do this on v4.2, it only sets the laravel_sessions key as intended. Custom session keys didn't have secure flag even though the secure => true variable was set. So I had to alter the path line to make custom session values also have secure flag.

So, I had to alter path key like this:

 'path' => '/;SameSite=None; secure',

In addition to altering the secure key to true.

And voila! Worked nicely.

Thanks again for the trick.

[stzahi]

@Ardakilic secure=>true worked for me on laravel 4.2,
Make sure you've cleared the config cache (php artisan config:cache).

[Ardakilic]

@stzahi Yup, it didn't help sadly. I set the cookies via Cookie::queue('key', 'value', $expire); and these ones didn't have the secure flag, unlike the default cookie key for sessions such as laravel_session which it worked nicely for like your example. Anyways, thanks again!

[Jimbolino]

please note that newer versions of php (7.0 and up) do not support this workaround because extra validation was added to setcookie().

ErrorException (E_WARNING) Cookie paths cannot contain any of the following ',; \t\r\n\013\014'

https://bugs.php.net/patch-display.php?bug_id=69948&patch=0001-Fix-69948&revision=latest

[Ardakilic]

@Jimbolino I've just tried this cookie path fix with Laravel 4.2 and PHP7.1 on a project, no warning thrown at all. I enabled debug, and I have error_reporting(E_ALL ^ E_DEPRECATED) on my app for mcrypt.

But yeah, it throws error as you mentioned, but I guess for PHP versions bigger than 7.3.0: https://3v4l.org/iMo7C

[Jimbolino]

Yeah i was not sure about the 7.0 statement.
Figured that a commit to master @ 2015-06-28 would land in the next major php release, but they sat on it for a couple of years:
7.0 release date: 2015-12-03
7.3 release date: 2018-12-06

Alternatively i was looking for a fix via .htaccess, however:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
does not work for my *.localhost and *.companydev.com develop environments

And a more complex regex example got me spooked:
Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; SameSite=None$3$4"

Luckily prod still runs php 5.5 🤣

[viraljetani]

Inside config/session.php
You can inject it into the cookie through the path argument.
'path' => '/;samesite=none',

Another thing is you must make sure that
'secure' => true

This worked for me.. Thank you!

[mahmoudelshenawy]

i am using laravel 7 and this trick does not work can anybody help me with that? i am using datatable and coulding redirect to another page based on data from datatable page ?

[stzahi]

You don't need it in Laravel 7, this is only a trick for Laravel 5. At Laravel 7 it comes out of the box. Have fun, Tzahi.

…

On Wed, Sep 9, 2020 at 5:44 PM mahmoudelshenawy ***@***.***> wrote: i am using laravel 7 and this trick does not work can anybody help me with that? i am using datatable and coulding redirect to another page based on data from datatable page ? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#30832 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7EJBIPL6QL32OUZ2KIUA3SE6IDRANCNFSM4J2IBB3Q> .

[tegola]

Anyone having issues with cookies when developing locally might need to add an exception in the configuration:

// config/session.php
'path' => env('APP_ENV') === 'local' ? '/' : '/;SameSite=None',
'secure' => env('APP_ENV') === 'local' ? false : true,

[isupremedyou]

@tegola I have added that but I still get a 419 while testing my login page. Login redirects to a 419 page and in console, I see a message that Set-Cookie failed because it still has the secure attribute.

Did you have to do anything else to get Laravel to stop marking the cookie as secure?