Login

codeus · 05-17-2025, 01:07 AM

Hi all,
Using v4.6.1 - in app/Config/Cookie.php - after changing samesite setting to 'None'

PHP Code:
    public string $samesite = 'None'; 

Console error is:

Quote:Cookie “pm_id” has been rejected because it is in a cross-site context ...

Still get cross-site errors. I'm doing this for testing, connecting to the remote CI4 server from localhost on local machine.

I've tried using Cookie helper to no avail-:

PHP Code:
helper('cookie');
 set_cookie('session_id', '', 3600, '','', true, true, 'None'); 

Is it possible to force samesite to 'None' for the CI session cookie?

Many thanks,
Mike

**paulbalandan** · 05-17-2025, 08:09 AM

Just to confirm, are you the one setting up the cookie named "pm_id"? From your example, it seems the name is "session_id".

codeus · 05-17-2025, 03:19 PM

(05-17-2025, 01:45 PM)codeus Wrote:
(05-17-2025, 08:09 AM)paulbalandan Wrote: Just to confirm, are you the one setting up the cookie named "pm_id"? From your example, it seems the name is "session_id".

Confirmed: whether using 'session_id', or 'pm_id', the issue remains the same.

I believe this is a bug. Any setting in Cookie $samesite appears to be overridden by the default Lax setting.

**paulbalandan** · Yesterday, 07:41 AM

No, samesite is only changed to Lax if the passed $samesite is an empty string. Can you show your code that sets up the session cookie?

codeus · Yesterday, 01:35 PM

(Yesterday, 07:41 AM)paulbalandan Wrote: No, samesite is only changed to Lax if the passed $samesite is an empty string. Can you show your code that sets up the session cookie?

Sure, for brevity the comments have been removed. app/Config/Session.php is unchanged from the CI default version.

app/Config/Cookie.php

PHP Code:
class Cookie extends BaseConfig
{
    public string $prefix = '';
    public $expires = 0;
    public string $path = '/';
    public string $domain = '';
    public bool $secure = true;
    public bool $httponly = true;
    public string $samesite = 'None';
    public bool $raw = false;
} 

app/Controllers/BaseController.php

PHP Code:
    public function initController(RequestInterface $request, ResponseInterface $response, LoggerInterface $logger): void
    {
        parent::initController($request, $response, $logger); // do not edit this line
        $this->request = $request;

        $this->session = session(); 

**InsiteFX** · Yesterday, 09:36 PM

You should check to see if your sessions are running.

PHP Code:
// E.g.: $this->session = service('session');
// Ensure that the session is started and running
    if (session_status() === PHP_SESSION_NONE) {
        // if session status is none then start the session
        $this->session = Services::session();
    } 

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009. ( Skype: insitfx )

codeus · 11 hours ago

(Yesterday, 09:36 PM)InsiteFX Wrote: You should check to see if your sessions are running.

PHP Code:
// E.g.: $this->session = service('session'); // Ensure that the session is started and running if (session_status() === PHP_SESSION_NONE) { // if session status is none then start the session $this->session = Services::session(); }

Thanks, added the if statement. The if block is executed.

BTW In vendor/codeigniter4/framework/system/Session/Session.php if $sameSite = 'None' hack is added, the session has sameSite 'None'. Remove the hack, session has sameSite 'Lax'.

I would expect without the hack, sameSite should be 'None' because in my app/Config/Cookie.php sameSite is set to None there. Is this reasoning correct?

PHP Code:
 vendor/codeigniter4/framework/system/Session/Session.php  
 protected function configure()
    {
        ini_set('session.name', $this->config->cookieName);

        $sameSite = $this->cookie->getSameSite() ?: ucfirst(Cookie::SAMESITE_LAX);
        // TEMPORARY HACK
        $sameSite = 'None'; 

[/php]

**InsiteFX** · 9 hours ago

This should help you understand how it's working, there are a couple other articles in this one.

SameSite cookies explained

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009. ( Skype: insitfx )

codeus · 9 hours ago

(9 hours ago)InsiteFX Wrote: This should help you understand how it's working, there are a couple other articles in this one.

SameSite cookies explained

My issue is, how do I set a session to use samesite 'None' ?
Other than using a hack.

**paulbalandan** · 2 hours ago

That's weird. On where you put the hack, can you put these lines so we can debug the values?

dd($this->cookie->getSameSite());
dd(config(\Config\Cookie::class)->samesite);

Make sure to remove first your temporary hack then run your code again. You should see the values for the lines above and paste them here.