• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Cookies Misusing the Recommended “sameSite“ Attribute

#1
Hi Everyone,

I am looking after a site, (sadly based upon), CI v2.1.0.   Sad

I have just noticed in Firefox's console the following: "Some cookies are misusing the recommended “sameSite“ attribute".  There is no such entry in Chrome's console window.  M$ Edge, well, Dev tools window fails  Rolleyes

In short, it is "Cookie “name” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute.
It looks it applies to google analytics cookies also, "Cookie “_ga” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute.".

Should I been concerned that the site will not function in the future, when browsed with Firefox?  If so, how do I fix this?
Do I need to extend a core library to add the secure attribute, or modify the sameSite attribute?


Thanks in advance.
Reply

#2
As far as I know it is not CI related issue.
I similar issue in my website (CI v3).
I use some embedded charts such as Google Trends which causes this issue because it does requests to another domain. 

If the source of your problem is similar, then it should be fixed by the external domain (in my case Google Trends should set appropriate headers on the responses) that it uses. 
Besides, I have build a Hybrid mobile app, where embedded Google Trends works fine on Android phone (because they use chrome engine), but because if this warning it does not work on Iphone (because it uses Safari engine).

I checked this issue 2 months earlier, so I don't remember all the details.

Also, I don't know about the scale of your CI 2 application but it is quite easy to upgrade to CI 3 from CI 2. I have done it couple years ago
Reply

#3
Read this.

Chrome's Changes Could Break Your App: Prepare for SameSite Cookie Updates
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply

#4
Thanks for the replies and link.

@InsiteFX
I had a read of the link and set the flags in Chrome, (v 81), and the site is functioning correctly.
Additionally, I updated the config to send the cookie only if an HTTPS connection exists.

Code:
$config['cookie_secure'] = TRUE;

This fixed our site's cookies from displaying the notice.  The third-party cookies are still displaying the notice, and as @neuron says, that is not a CI issue.

Thanks again guys for your help.
Reply

#5
See here: https://developer.mozilla.org/en-US/docs...e/SameSite paymydoctor
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.