1
I’m using a Handler customized to save sessions on MongoDB and a custom class to create cookies attribute-ridden SameSite using the function header(), although this specification is not widely adopted (yet).
However the cookie session PHP is initiated by the function session_start() using setcookie(), this forces to create a cookie non-attributed session SameSite.
How to customize the cookie session at PHP?
0
Have you seen this lib: https://github.com/delight-im/PHP-Cookie
Modern cookie management for PHP: This library provides a static method compatible with PHP’s setcookie (...) function, but includes support for newer features such as the Samesite attribute
0
Based on a reply I received on ONLY in a matter related to RFC6265 defining the specification of the cookie "same-site" I bring here the solution presented:
Response in ONLY
In free translation:
It seems that you can abuse the "path" or "domain" parameter of the PHP "setcookie" function to sneak into the Samesite attribute because PHP does not escape a semicolon:
setcookie('samesite-test', '1', 0, '/; samesite=strict');
I found the answer interesting and decided to test in phtester using PHP 7.0 the attribute was added to the session cookie using Chrome 63 (desktop) and 62 (Android) in addition to the native browser on Android (62) and Opera (48)... Firefox 57 does not offer bad support promises support in the next version (58).
According to caniuse with. the following browsers support specification (or will offer):
Browser other questions tagged php security-guard cookies
You are not signed in. Login or sign up in order to post.
I took as a basis exactly this plugin for my question it adds the attribute
SameSiteto cookies usingheader()however the session cookie is started as described in my question.– Lauro Moraes
With the Session::start('Strict') or ::start('Lax') method it starts the session with php’s built-in method (session_start) but then overwrites the session data by adding Samesite. If that lib doesn’t help, I don’t know what could help then. There is no native support in PHP yet.
– Adriano Fernandes
Reddit: https://www.reddit.com/r/PHP/comments/4na46f/samesite_cookie_support_for_php/
– Adriano Fernandes
Well, that’s exactly the point. The cookie is generated and launched in the output buffer, written (saved) to the customer and only then the class gets the cookie and overwrites it for as long as this process can be fast it does not guarantee that there can be no interception. To an Issue that deals with something similar...
– Lauro Moraes
https://github.com/delight-im/PHP-Cookie/issues/15
– Lauro Moraes
Although this Issue questions a DRAFT to php Session points to the same paradigm
– Lauro Moraes