|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78651 session.cookie_samesite missing the None option
Submitted: 2019-10-09 00:06 UTC Modified: 2020-03-18 15:01 UTC
Avg. Score:4.8 ± 0.4
Reproduced:17 of 17 (100.0%)
Same Version:10 (58.8%)
Same OS:13 (76.5%)
From: jimmmaaayn at gmail dot com Assigned: nikic (profile)
Status: Closed Package: *General Issues
PHP Version: 7.3.10 OS: All OS's
Private report: No CVE-ID: None
 [2019-10-09 00:06 UTC] jimmmaaayn at gmail dot com
Setting session.cookie_samesite=None in php ini does not set attribute of session samesite to None in order for it to work on third party sites in the future. Browsers like Chrome are forcing no specified samesite to be default Lax instead of None. See

Also Note down that None requires secure cookie for chrome by 2020

Test script:

Expected result:
Session cookie should be set with the SameSite None attribute

Actual result:
Session cookie is not set with any Samesite Attribute


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-10 11:27 UTC] tom at peopleperhour dot com
This issue is very important - all hell will break loose come Feb/2020 when Google Chrome default the SameSite cookie attribute to Lax if we cannot set the PHP session cookie back to None. For example, it will be important for any sites that have Payment Gateways where the users are sent off to the Payment processor site, then POSTed back after the payment. Sites will find their users are no longer logged-in when they return.

I can't overstate how important it is that this issue is fixed before Google Chrome change their default behaviour (currently due Feb/2020, source: )
 [2020-03-17 22:48 UTC] marco dot marsala at live dot it
A simple workaround is:

session_set_cookie_params([‘samesite’ => ‘None’]);
 [2020-03-18 14:52 UTC]
> cat t048.php 

> sapi/cgi/php-cgi t048.php 
X-Powered-By: PHP/7.3.16-dev
Set-Cookie: PHPSESSID=e7c6bf56463ebb1eaf0dfdd0a8e2257d; path=/; SameSite=None
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8

Seems to work fine already?

Nothing in PHP checks whether the value of cookie_samesite is actually valid, you can put whatever in it.
 [2020-03-18 14:55 UTC]
I think I get it... Contrary to the given test script, you presumably have something like


in your php.ini. However, "none" is a special value in ini files, and what you want is

 [2020-03-18 15:01 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-03-18 15:01 UTC]
I've added a note to this effect in the php.ini-production/development files with With that, I consider this resolved, as this is already working fine if you do it right...
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sat Sep 30 18:01:24 2023 UTC