Issue
I am trying to do something a little unusual. I have an html document that I am opening from the file system (file:///usr/local/var/www/myFile.html)
In this file, I am loading a script library from my local server via php:
<script src="http://localhost/myscript.php" type="text/javascript">
This is actually working - this is not my issue. My issue is with session/cookies
First, I am logging in using localhost/login.php
When I open myFile via http://myFile.html myscript.php has my session and cookie variables that I set in login.php. When I am opening the html file from the file system, and then getting my script via php from the server, it doesn't have my session or cookie variables. Chrome (client side) flags the session and the cookies under issues:
Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery. Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use. Specify SameSite=Strict or SameSite=Lax if the cookie should not be sent in cross-site requests. 3 cookies
One of the cookies listed is actually the PHP Session ID. The other two are cookies I had set in login as a workaround to not having my session variables.
So I went and edited my php.ini file (I used phpinfo() on another php page to make sure it was the right php.ini)
I make these changes
session.cookie_secure = 1
session.cookie_samesite = "None"
And I restarted httpd, but I am still getting the error message in Chrome, and the session and cookies are not set where I am looking for them in my .php file
What have I done wrong / what am I missing in php.ini?
--- Edit ---
I tried the above in Safari and it worked. It seems the problem lies with Chrome only
Solution
I think those who responded didn't understand my question, and I am probably at fault for their misunderstandings.
In any case, what I discovered reading the message from Chrome again was that I had to set up samesite values on my cookies as well. Here's how I did it in login.php:
$res = $stmt->fetch(PDO::FETCH_ASSOC);
$success = true;
$_SESSION["editor"] = $_REQUEST["userID"];
$_SESSION["agency"] = $res["id"];
// setcookie("editor", $_POST["userID"], time() + 60 * 60 * 24, "/"); // 86400 = 1 day
// setcookie("agency", $res["id"], time() + 60 * 60 * 24, "/"); // 86400 = 1 day
setcookie("editor", $_POST["userID"], [
"expires" => time() + 60 * 60 * 24,
"path" => "/",
"domain" => "",
"secure" => true,
"httponly" => false,
"samesite" => 'None'
]);
setcookie("agency", $res["id"], [
"expires" => time() + 60 * 60 * 24,
"path" => "/",
"domain" => "",
"secure" => true,
"httponly" => false,
"samesite" => 'None'
]);
Here I am setting the "samesite" attribute directly on the cookies I am creating. Now the cookie information is available in http://localhost/myscript.php in chrome
Answered By - ControlAltDel Answer Checked By - Clifford M. (WPSolving Volunteer)