CodeIgniter Forums
Cookies Misusing the Recommended “sameSite“ Attribute - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Cookies Misusing the Recommended “sameSite“ Attribute (/showthread.php?tid=76467)



Cookies Misusing the Recommended “sameSite“ Attribute - Mr Lister - 05-14-2020

Hi Everyone,

I am looking after a site, (sadly based upon), CI v2.1.0.   Sad

I have just noticed in Firefox's console the following: "Some cookies are misusing the recommended “sameSite“ attribute".  There is no such entry in Chrome's console window.  M$ Edge, well, Dev tools window fails  Rolleyes

In short, it is "Cookie “name” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute.
It looks it applies to google analytics cookies also, "Cookie “_ga” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute.".

Should I been concerned that the site will not function in the future, when browsed with Firefox?  If so, how do I fix this?
Do I need to extend a core library to add the secure attribute, or modify the sameSite attribute?


Thanks in advance.


RE: Cookies Misusing the Recommended “sameSite“ Attribute - neuron - 05-15-2020

As far as I know it is not CI related issue.
I similar issue in my website (CI v3).
I use some embedded charts such as Google Trends which causes this issue because it does requests to another domain. 

If the source of your problem is similar, then it should be fixed by the external domain (in my case Google Trends should set appropriate headers on the responses) that it uses. 
Besides, I have build a Hybrid mobile app, where embedded Google Trends works fine on Android phone (because they use chrome engine), but because if this warning it does not work on Iphone (because it uses Safari engine).

I checked this issue 2 months earlier, so I don't remember all the details.

Also, I don't know about the scale of your CI 2 application but it is quite easy to upgrade to CI 3 from CI 2. I have done it couple years ago


RE: Cookies Misusing the Recommended “sameSite“ Attribute - InsiteFX - 05-15-2020

Read this.

Chrome's Changes Could Break Your App: Prepare for SameSite Cookie Updates


RE: Cookies Misusing the Recommended “sameSite“ Attribute - Mr Lister - 05-15-2020

Thanks for the replies and link.

@InsiteFX
I had a read of the link and set the flags in Chrome, (v 81), and the site is functioning correctly.
Additionally, I updated the config to send the cookie only if an HTTPS connection exists.

Code:
$config['cookie_secure'] = TRUE;

This fixed our site's cookies from displaying the notice.  The third-party cookies are still displaying the notice, and as @neuron says, that is not a CI issue.

Thanks again guys for your help.