PHP SameSite session problem, session doesn't work

有些话、适合烂在心里 提交于 2021-02-18 05:32:11

问题


I hope anybody can give me some ideas to my problem. I am trying to apply SameSite cookie to make session work but it seems it doesn't work. The visited site html:

<iframe src="https://www.example.com/test/iframe.php"></iframe>

Iframe source site:

    <?php
    header('Set-Cookie: cross-site-cookie=PHPSESSID; SameSite=None; Secure');
    session_start();
    if(!isset($_SESSION['test'])){
        echo 1;
        $_SESSION['test'] = 'ee2';
    }else{
        echo $_SESSION['test'];
    }

If I visit the website, I still receive A cookie associated with a cross-site resource at https://www.example.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. message in browser console and session is not saved.

Strange thing is that the cookie has been actually set:

Am I missing something? Why do I get this message in console if cross-site-cookie is set and what could be reasons for session to not work? I am using php 7.1.33. If I open iframe directly, it works and it also works properly if I open the site with browser where I haven't enabled the SameSite by default cookies flag for testing.


回答1:


I resolved it by editing .htaccess

<ifmodule mod_headers.c>
Header always edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</ifmodule> 



回答2:


Set session & cookies param php: https://www.php.net/manual/en/function.session-set-cookie-params.php Browser: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

<?php
session_set_cookie_params(["SameSite" => "Strict"]); //none, lax, strict
session_set_cookie_params(["Secure" => "true"]); //false, true
session_set_cookie_params(["HttpOnly" => "true"]); //false, true
session_start(); //everything before this

OR php.ini:

[Session]
session.cookie_samesite = "Strict"
session.cookie_secure = 1
session.cookie_httponly = 1



回答3:


I temporary resolved my problem using htaccess:

Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure



回答4:


I resolved it by:

<?php

session_start();
header('Set-Cookie: PHPSESSID= ' . session_id() . '; SameSite=None; Secure');



回答5:


I wrote a class for this.

https://github.com/ovunctukenmez/SameSiteSessionStarter

It also checks if the browser supports samesite parameter properly.

Instead of session_start();
Use like the this:

<?php
require_once 'SameSiteSessionStarter.php';

//start samesite none php session
SameSiteSessionStarter::session_start();



回答6:


I found that this worked for me - setting SameSite as "None" - and some more info on what that means here.

Apparently, browsers no longer allow you to set whatever you want in an iframe, I was trying to handle a session in an iframe, loaded on a different domain and while doing that, I noticed that a different session was being created for the OTHER domain instead of what I was loading in the iframe. This seems to have fixed it. I am still testing but it's the first thing that worked since I started looking for a fix this morning.



来源:https://stackoverflow.com/questions/60157086/php-samesite-session-problem-session-doesnt-work

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!