SameSite Cookie not working

[ghost]

Today I upgraded my October CMS to PHP 7.3

I done the following things:

1. Add the following code to my .HTaccess

AddHandler application/x-httpd-php73 .php .php5 .php4 .php3

2. Updated the Version in the Cpanel

3. Says this in the admin backend dashboard:

4. I have added these three lines of code inside my .HTaccess

Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always edit Set-Cookie (.*) "$1; Secure"
Header always edit Set-Cookie (.*) "$1; SameSite"

5. Session Config File, I have added the following code at the bottom as per PR Add Same-Site Cookie configuration option #3688

    /*
    |--------------------------------------------------------------------------
    | Same-Site Cookies
    |--------------------------------------------------------------------------
    |
    | This option determines how your cookies behave when cross-site requests
    | take place, and can be used to mitigate CSRF attacks. By default, we
    | do not enable this as other CSRF protection services are in place.
    |
    | Supported: "lax", "strict"
    |
    */
    'same_site' => 'strict',
];

Testing and NOT Working

I am expecting the October Session Cookie to have two ticks and say 'Strict' for the HTTPonly, Secure and SameSite:

Also an extra screenshot showing that I do have SameSite Turned on:

Therefore I think it is NOT working and there is an error somewhere or maybe I have not fully correctly set it up! But I am pretty sure I have turned it on correctly my side.

[ghost]

Update:

Adding the following code to the .HTaccess makes it work:

Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure; SameSite=Strict"

See screenshot:

However, this just highlights that the code in the session.php is not working! Therefore this code at the moment doesn't work:

    /*
    |--------------------------------------------------------------------------
    | Same-Site Cookies
    |--------------------------------------------------------------------------
    |
    | This option determines how your cookies behave when cross-site requests
    | take place, and can be used to mitigate CSRF attacks. By default, we
    | do not enable this as other CSRF protection services are in place.
    |
    | Supported: "lax", "strict"
    |
    */
    'same_site' => 'strict',
];

[Denoder]

Hmm,
Since you have php 7.3 can you remove the htaccess headers.

• go into a plugin create a routes.php file
• add a random route
• add the web middleware to it and then go to that route to check the cookie flag?

@ayumihamsaki

[Denoder]

@ayumihamsaki the header should be set by the SessionStart class in the web middleware and the CMS controller and Backend Controller utilize the web middleware so maybe try deleting cookies then refreshing

[ghost]

@teranode

First thanks for your advice. I understand that Laravel 5.5 or greater combined with PHP 7.3 will have the SameSite Cookie.

I believe the issue is not with regards to them, the issue is with regards to October CMS URL system. I will show you steps to repeat the issue (setting up a static webpage in october)

Steps to Repeat Issue

1. I removed the .HTaccess headers to try and force any cookie headers

2. I added the session.php config details:

    /*
    |--------------------------------------------------------------------------
    | Same-Site Cookies
    |--------------------------------------------------------------------------
    |
    | This option determines how your cookies behave when cross-site requests
    | take place, and can be used to mitigate CSRF attacks. By default, we
    | do not enable this as other CSRF protection services are in place.
    |
    | Supported: "lax", "strict"
    |
    */
    'same_site' => 'strict',
];

3. I create a Static webpage using October's URL system, see screenshot:

4. I test the Static page in Google Chrome Dev Tools, see screenshot:

As you can see the 'Strict' flag is not showing.

I believe October should add the Middleware to it's OWN URL system and have the SameSite flag working automatically without the need for the developer to have to add the extra middleware route.

(I hope I explained the issue)

[LukeTowers]

@ayumihamsaki in theory it's already implemented is what @teranode is saying

[ghost]

Thanks Luke for clearing that up, I was wondering that (it did have me a little confused). I guess I will just have to wait for PHP 7.3 to roll out to more hosting companies - for more people to confirm this bug.

[Denoder]

Just added PHP 7.3 on my local machine and im not getting the same issues you are:

[ghost]

I done a fresh new install (same issue)

1. phpinfo:

2. HTaccess file, I took from here: https://github.com/octobercms/october/blob/master/.htaccess

3. I downloaded the zip file from octobercms.com and uploaded to the server

4. changed session.php to this:

5. Checked on the homepage of a brand new install and looks like this:

Google Canary:

Firefox Nightly:

p.s. the two cookies shown are from: October CMS and Cloudlfare.

Really not sure what the issue is?

[ghost]

Going to investigate this further, I have found the Laravel PR, see here: https://github.com/laravel/framework/pull/18036/files

Will do some further investigating on it.

Please note, I quote someone from the Laravel team talking about this:

Yes it seems they just accepted the PR and never checked if it actually worked. A bit sloppy...

[ghost]

After a few hours researching I have the following conclusion. This is fixed in the following versions: Laravel 5.6.38 and Symphony 4.1.5.

Symphony PR: symfony/symfony#27885
Laravel PR: Don't have the exact link (but speaking to team members in their repo that's their answer)

Upgrading to Laravel LTS 5.9 should fix this.

[github-actions]

This issue will be closed and archived in 3 days, as there has been no activity in the last 30 days. If this issue is still relevant or you would like to see action on it, please respond and we will get the ball rolling.

[LukeTowers]

Will be fixed by #4381

[summercms]

@LukeTowers This is working now as of v462, you can close this issue also maybe you want to remove it from your 1st comment list found here: #4381 (comment)

[edit] fully tested it in php version 7.3.13

[summercms]

Note: Issue with Windows 10 and SameSite Google Chrome V80, users need to install KB4534273

See here for link: https://support.microsoft.com/en-gb/help/4534273/windows-10-update-kb4534273

[iamrodrigo]

I'm still having this problem.

I did the same, I added the variable to session.php but the value is not lax on Chrome.

I'm currently using PHP 7.3.0 and October CMS 464.

Am I the only one experiencing this problem?

Cheers