New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend Cookie Support for SameSite=None, Secure #30832
Comments
Hey there, Unfortunately we don't support this version anymore. Please check out our support policy on which versions we are currently supporting. Can you please try to upgrade to the latest version and see if your problem persists? We'll help you out and re-open this issue if so. Thanks! |
Inside config/session.php Another thing is you must make sure that |
Thanks @stzahi , your trick works nicely even on Laravel 4! However, when I do this on v4.2, it only sets the laravel_sessions key as intended. Custom session keys didn't have secure flag even though the secure => true variable was set. So I had to alter the path line to make custom session values also have secure flag. So, I had to alter 'path' => '/;SameSite=None; secure', In addition to altering the secure key to true. And voila! Worked nicely. Thanks again for the trick. |
@Ardakilic secure=>true worked for me on laravel 4.2, |
@stzahi Yup, it didn't help sadly. I set the cookies via |
please note that newer versions of php (7.0 and up) do not support this workaround because extra validation was added to setcookie().
https://bugs.php.net/patch-display.php?bug_id=69948&patch=0001-Fix-69948&revision=latest |
@Jimbolino I've just tried this cookie path fix with Laravel 4.2 and PHP7.1 on a project, no warning thrown at all. I enabled debug, and I have But yeah, it throws error as you mentioned, but I guess for PHP versions bigger than 7.3.0: https://3v4l.org/iMo7C |
Yeah i was not sure about the 7.0 statement. Alternatively i was looking for a fix via .htaccess, however: And a more complex regex example got me spooked: Luckily prod still runs php 5.5 🤣 |
This worked for me.. Thank you! |
i am using laravel 7 and this trick does not work can anybody help me with that? i am using datatable and coulding redirect to another page based on data from datatable page ? |
You don't need it in Laravel 7, this is only a trick for Laravel 5.
At Laravel 7 it comes out of the box.
Have fun,
Tzahi.
…On Wed, Sep 9, 2020 at 5:44 PM mahmoudelshenawy ***@***.***> wrote:
i am using laravel 7 and this trick does not work can anybody help me with
that? i am using datatable and coulding redirect to another page based on
data from datatable page ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#30832 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA7EJBIPL6QL32OUZ2KIUA3SE6IDRANCNFSM4J2IBB3Q>
.
|
Anyone having issues with cookies when developing locally might need to add an exception in the configuration: // config/session.php
'path' => env('APP_ENV') === 'local' ? '/' : '/;SameSite=None',
'secure' => env('APP_ENV') === 'local' ? false : true, |
@tegola I have added that but I still get a 419 while testing my login page. Login redirects to a 419 page and in console, I see a message that Set-Cookie failed because it still has the Did you have to do anything else to get Laravel to stop marking the cookie as secure? |
@isupremedyou Make sure you clear the cached configuration with |
I succeeded to achieve this with Laravel 4.2 and PHP7.4 (and will work possibly with PHP8), but I ended up editing some core files:
Find: $cookies .= 'Set-Cookie: '.$cookie."\r\n"; Replace With: $cookies .= 'Set-Cookie: '.$cookie."; SameSite:None\r\n";
Find setcookie($cookie->getName(), $cookie->getValue(), $cookie->getExpiresTime(), $cookie->getPath(), $cookie->getDomain(), $cookie->isSecure(), $cookie->isHttpOnly()); Replace With: if (PHP_VERSION_ID < 70300) {
setcookie($cookie->getName(), $cookie->getValue(), $cookie->getExpiresTime(), $cookie->getPath(), $cookie->getDomain(), $cookie->isSecure(), $cookie->isHttpOnly());
} else {
setcookie($cookie->getName(), $cookie->getValue(), [
'expires' => $cookie->getExpiresTime(),
'path' => $cookie->getPath(),
'domain' => $cookie->getDomain(),
'secure' => $cookie->isSecure(),
'samesite' => 'None',
'httponly' => $cookie->isHttpOnly(),
]);
}
Find the $str .= '; SameSite=None'; And voila! I have PHP7.4, and Laravel 4.2 (mcrypt installed from php-pear), having cookies for the site with proper SameSite attribute enabled. This will possibly work with Laravel 5.0, etc. too. I'm sure the locations of the files are same or quite similar. I may create a fork in the future to override the |
I have created a fork regarding my last message: https://github.com/Ardakilic/http-foundation Here's my commit: Ardakilic/http-foundation@5f1cb06 Simply altering your {
"repositories": [
{
"type": "vcs",
"url": "https://github.com/Ardakilic/http-foundation"
}
],
"require": {
"symfony/http-foundation": "dev-2.7-samesite as 2.7.999"
}
} I'd appreciate if any one of you could try this. |
Description:
Google introduces new Chrome policy, marking all Cookie without
samesite
flag to 'strict' by default. If you want to allow third party cookies you must setsamesite
flag tonone
.For cookie related logic laravel uses
symfony/http-foundation
and they already have released the support for it. I am not sure if its good idea or not, but can we update thecomposer.json
to use proper version of htttp-foundation to extend the same support to laravel too?Symfony Ticket: symfony/symfony#31475
For
symfony/http-foundation
, the version is 3.4.28Please consider change like this:
The text was updated successfully, but these errors were encountered: