php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78651 session.cookie_samesite missing the None option
Submitted: 2019-10-09 00:06 UTC Modified: 2020-03-18 15:01 UTC
Votes:19
Avg. Score:4.8 ± 0.4
Reproduced:17 of 17 (100.0%)
Same Version:10 (58.8%)
Same OS:13 (76.5%)
From: jimmmaaayn at gmail dot com Assigned: nikic (profile)
Status: Closed Package: *General Issues
PHP Version: 7.3.10 OS: All OS's
Private report: No CVE-ID: None
View Developer Edit
 [2019-10-09 00:06 UTC] jimmmaaayn at gmail dot com 
Description:
------------
Setting session.cookie_samesite=None in php ini does not set attribute of session samesite to None in order for it to work on third party sites in the future. Browsers like Chrome are forcing no specified samesite to be default Lax instead of None. See https://www.chromium.org/updates/same-site

Also Note down that None requires secure cookie for chrome by 2020

Test script:
---------------
ini_set('session.cookie_samesite','None');session_start();

Expected result:
----------------
Session cookie should be set with the SameSite None attribute

Actual result:
--------------
Session cookie is not set with any Samesite Attribute

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-10 11:27 UTC] tom at peopleperhour dot com 
This issue is very important - all hell will break loose come Feb/2020 when Google Chrome default the SameSite cookie attribute to Lax if we cannot set the PHP session cookie back to None. For example, it will be important for any sites that have Payment Gateways where the users are sent off to the Payment processor site, then POSTed back after the payment. Sites will find their users are no longer logged-in when they return.

I can't overstate how important it is that this issue is fixed before Google Chrome change their default behaviour (currently due Feb/2020, source: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html )
 [2020-03-17 22:48 UTC] marco dot marsala at live dot it 
A simple workaround is:

session_set_cookie_params([‘samesite’ => ‘None’]);
 [2020-03-18 14:52 UTC] nikic@php.net 
> cat t048.php 
<?php
ini_set('session.cookie_samesite','None');
session_start();

> sapi/cgi/php-cgi t048.php 
X-Powered-By: PHP/7.3.16-dev
Set-Cookie: PHPSESSID=e7c6bf56463ebb1eaf0dfdd0a8e2257d; path=/; SameSite=None
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8

Seems to work fine already?

Nothing in PHP checks whether the value of cookie_samesite is actually valid, you can put whatever in it.
 [2020-03-18 14:55 UTC] nikic@php.net 
I think I get it... Contrary to the given test script, you presumably have something like

session.cookie_samesite=None

in your php.ini. However, "none" is a special value in ini files, and what you want is

session.cooke_samesite="None"
 [2020-03-18 15:01 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-03-18 15:01 UTC] nikic@php.net 
I've added a note to this effect in the php.ini-production/development files with https://github.com/php/php-src/commit/c00cce3229515eacdb1680f39132ed3ca09cc205. With that, I consider this resolved, as this is already working fine if you do it right...
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Oct 25 14:00:01 2025 UTC