问题
I hope anybody can give me some ideas to my problem. I am trying to apply SameSite cookie to make session work but it seems it doesn't work. The visited site html:
<iframe src="https://www.example.com/test/iframe.php"></iframe>
Iframe source site:
<?php
header('Set-Cookie: cross-site-cookie=PHPSESSID; SameSite=None; Secure');
session_start();
if(!isset($_SESSION['test'])){
echo 1;
$_SESSION['test'] = 'ee2';
}else{
echo $_SESSION['test'];
}
If I visit the website, I still receive A cookie associated with a cross-site resource at https://www.example.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. message in browser console and session is not saved.
Strange thing is that the cookie has been actually set:
Am I missing something? Why do I get this message in console if cross-site-cookie is set and what could be reasons for session to not work? I am using php 7.1.33. If I open iframe directly, it works and it also works properly if I open the site with browser where I haven't enabled the SameSite by default cookies flag for testing.
回答1:
I resolved it by editing .htaccess
<ifmodule mod_headers.c>
Header always edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</ifmodule>
回答2:
Set session & cookies param php: https://www.php.net/manual/en/function.session-set-cookie-params.php Browser: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
<?php
session_set_cookie_params(["SameSite" => "Strict"]); //none, lax, strict
session_set_cookie_params(["Secure" => "true"]); //false, true
session_set_cookie_params(["HttpOnly" => "true"]); //false, true
session_start(); //everything before this
OR php.ini:
[Session]
session.cookie_samesite = "Strict"
session.cookie_secure = 1
session.cookie_httponly = 1
回答3:
I temporary resolved my problem using htaccess:
Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
回答4:
I resolved it by:
<?php
session_start();
header('Set-Cookie: PHPSESSID= ' . session_id() . '; SameSite=None; Secure');
回答5:
I wrote a class for this.
https://github.com/ovunctukenmez/SameSiteSessionStarter
It also checks if the browser supports samesite parameter properly.
Instead of session_start();
Use like the this:
<?php
require_once 'SameSiteSessionStarter.php';
//start samesite none php session
SameSiteSessionStarter::session_start();
回答6:
I found that this worked for me - setting SameSite as "None" - and some more info on what that means here.
Apparently, browsers no longer allow you to set whatever you want in an iframe, I was trying to handle a session in an iframe, loaded on a different domain and while doing that, I noticed that a different session was being created for the OTHER domain instead of what I was loading in the iframe. This seems to have fixed it. I am still testing but it's the first thing that worked since I started looking for a fix this morning.
来源:https://stackoverflow.com/questions/60157086/php-samesite-session-problem-session-doesnt-work