mevdschee
When calling /login, I get a warning in Firefox about SameSite attribute
Hi Maurits,
today something maybe not immediately important, but just wanted to bring it up anyway to see what you think about it.
The warning from Firefox is:
Some cookies use the recommended "SameSite" attribute incorrectly. The cookie [xyz] will soon be rejected because it specifies either "None" or an invalid value for the "SameSite" attribute without using the "secure" attribute. For more information on the "SameSite" attribute, see https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite.
(translated from German)
[xyz] is the value I defined in 'dbAuth.sessionName'. These are the middlewares I use: 'dbAuth,authorization,customization,sslRedirect,xsrf,ajaxOnly'
I had made I notice about this warning some while back, but as far as I remember it disappeared when deactivating the cors middleware. But now it comes up all the time.
The warning doesn't break anything, everything is working fine. Chrome does not show any warnings.
As I said, I just want to make sure everything will work in the future as well.
Best wishes from Austria, Gabriel
Hi Gabriel,
Thank you for creating this issue. This can indeed be a problem in certain configurations.
I was able to reproduce this with the dbAuth middleware.
Kind regards, Maurits
Okay, it seems this is PHP session security setting related, and this:
if (!ini_get('session.cookie_samesite')) {
ini_set('session.cookie_samesite', 'Lax');
}
if (!ini_get('session.cookie_httponly')) {
ini_set('session.cookie_httponly', 1);
}
if (!ini_get('session.cookie_secure') && isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
ini_set('session.cookie_secure', 1);
}
code could fix your PHP setup from within the script. Not sure I should add that though. Give it a try!
Alternatively add this to your php.ini file:
session.cookie_samesite="Lax"
session.cookie_secure=On
session.cookie_httponly=On
Which I think is good practice.
We could also do:
session_start([
'cookie_samesite' => 'Lax',
'cookie_httponly' => true,
'cookie_secure' => (($_SERVER['HTTPS'] ?? 'off') != 'off'),
]);
where we now have:
session_start();
but this would override any configuration present in the php.ini file.
Hi Maurits,
so sorry for not answering earlier. I actually didn't see the notifications about all your messages until just now.
Thank you for all the information! I will look into this as soon as possible and get back to you soon.
Gabriel
I will look into this as soon as possible and get back to you soon.
Thank you for your reply. Please don't rush. It can wait. Kind regards, Maurits
Hi Maurits,
I included this code at the beginning of
namespace Tqdev\PhpCrudApi {
and it seems to resolve the warning. Would that be the right place to put it?
Seems to me to make more sense then including it in every session_start() call (I think that's called three times) unless you'd need different settings for different session_start() calls.
I've also read up on Session Security Settings on https://www.php.net/manual/en/session.security.ini.php and I agree on the settings you suggest.
Greetings, Gabriel
Okay, it seems this is PHP session security setting related, and this:
if (!ini_get('session.cookie_samesite')) { ini_set('session.cookie_samesite', 'Lax'); } if (!ini_get('session.cookie_httponly')) { ini_set('session.cookie_httponly', 1); } if (!ini_get('session.cookie_secure') && isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { ini_set('session.cookie_secure', 1); }code could fix your PHP setup from within the script. Not sure I should add that though. Give it a try!
and it seems to resolve the warning. Would that be the right place to put it?
It would be a good place. Although I prefer these settings (to become default) in the php.ini file or as session_start default behavior.