Welcome Guest, Not a member yet? Register   Sign In
ci_session cookie rejection warning
#1

Hi!
I have noticed Firefox giving the following warning in the console:

Cookie “ci_session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies

Anything I can fix as a user?
Reply
#2

Same with me
Reply
#3

I am also getting warning in firefox console that

"Cookie “ci_session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies".

My javascript has been stopped working now from when I am getting this notice.
Reply
#4

(This post was last modified: 06-01-2020, 07:38 AM by dave friend.)

In the file app/Config/App.php you will need to use

PHP Code:
public $cookieSecure  true

And you will also need to implement SSL certificates and use https
Reply
#5

Thanks a lot that was indeed the solution!
Reply
#6

(06-01-2020, 07:38 AM)dave friend Wrote: In the file app/Config/App.php you will need to use

PHP Code:
public $cookieSecure  true

And you will also need to implement SSL certificates and use https
Dear,
I didn't find App.php in Config folder...Can you please tell me the reason ?
Thanks
Reply
#7

Also make sure that this has not been changed in Config/app.php

PHP Code:
public $cookieSameSite 'Lax'
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#8

Hi I know this is the Codeigniter 4 forum, but I am maintaining a legacy CI3 system and wondered anybody here knows if there is a solution to the Firefox cookie rejection message for CI3. Thanks.
Reply
#9

For CI 3 no there is not a solution at this time.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#10

Hi,

Use at your own risk  Angel

system\libraries\Session\Session.php
line ~159
Code:
// Another work-around ... PHP doesn't seem to send the session cookie
// unless it is being currently created or regenerated
elseif (isset($_COOKIE[$this->_config['cookie_name']]) && $_COOKIE[$this->_config['cookie_name']] === session_id())
{
  setcookie(
    $this->_config['cookie_name'],
    session_id(),
    [
      'expires' => (empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
      'path' => $this->_config['cookie_path'],
      'domain' => $this->_config['cookie_domain'],
      'secure' => $this->_config['cookie_secure'],
      'httponly' => TRUE,
      'samesite' => $this->_config['cookie_samesite']
    ]
  );
}
line ~285
Code:
isset($params['cookie_path']) OR $params['cookie_path'] = config_item('cookie_path');
isset($params['cookie_domain']) OR $params['cookie_domain'] = config_item('cookie_domain');
isset($params['cookie_secure']) OR $params['cookie_secure'] = (bool) config_item('cookie_secure');
isset($params['cookie_samesite']) OR $params['cookie_samesite'] = config_item('cookie_samesite');

session_set_cookie_params([
  'lifetime' => $params['cookie_lifetime'],
  'path' => $params['cookie_path'],
  'domain' => $params['cookie_domain'],
  'secure' => $params['cookie_secure'],
  'httponly' => TRUE, // HttpOnly; Yes, this is intentional and not configurable for security reasons
  'samesite' => $params['cookie_samesite']
]);

application\config\config.php
line ~403
Code:
$config['cookie_prefix'] = '';
$config['cookie_domain'] = '';
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = FALSE;
$config['cookie_samesite'] = 'Lax';
Reply




Theme © iAndrew 2016 - Forum software by © MyBB