Login

Jan Zelenka · 05-29-2020, 12:58 AM

Hi!
I have noticed Firefox giving the following warning in the console:

Cookie “ci_session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies

Anything I can fix as a user?

mjamilasfihani · 06-01-2020, 02:02 AM

Same with me

freelanceBanik · 06-01-2020, 05:45 AM

I am also getting warning in firefox console that

"Cookie “ci_session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies".

My javascript has been stopped working now from when I am getting this notice.

dave friend · 06-01-2020, 07:38 AM

In the file app/Config/App.php you will need to use

PHP Code:
public $cookieSecure  = true; 

And you will also need to implement SSL certificates and use https

Jan Zelenka · 06-02-2020, 09:04 AM

Thanks a lot that was indeed the solution!

sg007 · 09-26-2020, 12:26 AM

(06-01-2020, 07:38 AM)dave friend Wrote: In the file app/Config/App.php you will need to use

PHP Code:
public $cookieSecure = true;

And you will also need to implement SSL certificates and use https

Dear,
I didn't find App.php in Config folder...Can you please tell me the reason ?
Thanks

**InsiteFX** · 09-26-2020, 12:39 PM

Also make sure that this has not been changed in Config/app.php

PHP Code:
public $cookieSameSite = 'Lax'; 

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009. ( Skype: insitfx )

mneucollins · 05-18-2021, 10:10 AM

Hi I know this is the Codeigniter 4 forum, but I am maintaining a legacy CI3 system and wondered anybody here knows if there is a solution to the Firefox cookie rejection message for CI3. Thanks.

**InsiteFX** · 05-18-2021, 08:34 PM

For CI 3 no there is not a solution at this time.

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009. ( Skype: insitfx )

paulkd · 05-19-2021, 04:15 AM

Hi,

Use at your own risk Angel

system\libraries\Session\Session.php
line ~159

Code:
// Another work-around ... PHP doesn't seem to send the session cookie

// unless it is being currently created or regenerated

elseif (isset($_COOKIE[$this->_config['cookie_name']]) && $_COOKIE[$this->_config['cookie_name']] === session_id())

{

  setcookie(

    $this->_config['cookie_name'],

    session_id(),

    [

      'expires' => (empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),

      'path' => $this->_config['cookie_path'],

      'domain' => $this->_config['cookie_domain'],

      'secure' => $this->_config['cookie_secure'],

      'httponly' => TRUE,

      'samesite' => $this->_config['cookie_samesite']

    ]

  );

}

line ~285

Code:
isset($params['cookie_path']) OR $params['cookie_path'] = config_item('cookie_path');

isset($params['cookie_domain']) OR $params['cookie_domain'] = config_item('cookie_domain');

isset($params['cookie_secure']) OR $params['cookie_secure'] = (bool) config_item('cookie_secure');

isset($params['cookie_samesite']) OR $params['cookie_samesite'] = config_item('cookie_samesite');

session_set_cookie_params([

  'lifetime' => $params['cookie_lifetime'],

  'path' => $params['cookie_path'],

  'domain' => $params['cookie_domain'],

  'secure' => $params['cookie_secure'],

  'httponly' => TRUE, // HttpOnly; Yes, this is intentional and not configurable for security reasons

  'samesite' => $params['cookie_samesite']

]);

application\config\config.php
line ~403

Code:
$config['cookie_prefix'] = '';

$config['cookie_domain'] = '';

$config['cookie_path'] = '/';

$config['cookie_secure'] = FALSE;

$config['cookie_httponly'] = FALSE;

$config['cookie_samesite'] = 'Lax';