I'm having a host of issues with PHP's SESSION and I'm not sure what started it all.
I was setting session_start in my code and things were working fine. I added some AJAX functionality then noticed that the session was empty for that particular call. Believing that I was starting the session too late or that maybe I forgot to include it in a page, I removed ALL instances of session_start and put one session_start in my bootstrap. So now my entire code base only has one session_start call and it's the very first line in the application.
This introduced a new issue. Now I am seeing this in dev tools:
Cookie "PHPSESSIONID" does not have a proper “SameSite” attribute value.
Soon, cookies without the “SameSite” attribute or with an invalid
value will be treated as “Lax”. This means that the cookie will no
longer be sent in third-party contexts.
I understand this has to do with SSL but this site doesn't need SSL, and I'm not even sure why I'm getting this warning. Can someone tell me what I need to do to permanently configure my code so I don't have to worry about this warning anymore? Without running SSL of course, because that's not an option.
I'm not even sure why I'm getting this warning.
Me neither :) Btw setcookie documentation is here:
<?php
$arr_cookie_options = array (
'expires' => time() + 60*60*24*30,
'path' => '/',
'domain' => '.example.com', // leading dot for compatibility or use subdomain
'secure' => true, // or false
'httponly' => true, // or false
'samesite' => 'None' // None || Lax || Strict
);
setcookie('TestCookie', 'The Cookie Value', $arr_cookie_options);
?>
Did the warning disappear after you set the samesite option?
Related
I'm configuring the php.ini file, trying to understand the proper syntax for the php.ini file and setting the session-set-cookie.params. First, it's not clear if the settings needs to be in quotes? Can someone please provide an example for proper syntax? My goal is I want to have session variables available across all sub-domains on my website. It also says, "...you need to call session_set_cookie_params() for every request and before session_start() is called." So basically, I need to
<?php
session_set_cookie_params()
session_start()
// PHP CODE HERE
?>
Right? Here's the webpage and php.ini code below what I've figured out thus far.
https://www.php.net/manual/en/function.session-set-cookie-params.php.
session_set_cookie_params(
int $lifetime_or_options,
string|null $path = null,
string|null $domain = null,
bool|null $secure = null,
bool|null $httponly = null
): bool
Here's my config file thus far.
session_set_cookie_params(
600 $lifetime_or_options,
$path = .mywebsite.com,
$domain = /,
$secure = null,
$httponly = null
): bool
It seems to me that you are not attempting to modify php.ini here (php.ini is a static server-wide config file loaded before PHP), but rather set PHP's ini values at runtime via PHP code. To that end, I think you're just misreading the function definition in the documentation a bit, as to how parameters are expressed.
In later versions of PHP (you're using 8 so that counts), it is best to pass the parameters as an array. This is as listed under Alternative signature available as of PHP 7.3.0 in the docs. When the docs mention the value $lifetime_or_options, they mean that parameter can either be an integer lifetime value (600) or an array of all the options as:
Bundle them in an array with []:
session_set_cookie_params([
'lifetime' => 600,
'path' => '/',
'domain' => '.yoursite.example.com',
'secure' => true,
'httponly' => true
]);
Note that I have set secure and httponly to true. httponly will prevent javascript from gaining access to the session cookie, which is appropriate most of the time. However, set secure to false if you need your session to work without SSL - when set true as I have it, the session cookie would only be transmitted over https.
I have also switched your path and domain values.
The other older way to express this is just to pass individual values directly as function parameters - that is the part I think you misunderstood in the docs.
session_set_cookie_params(600, '/', '.yoursite.example.com', true, true);
Note also that 600 is a very short lifetime for a session cookie, only ten minutes. You might need it to live longer.
I am trying to set a cookie with false in the secure parameter but when it is sent it always says secure/true. What could be causing my cookie setting to ignore that parameter?
setcookie( 'TEST', 'Testing', 0, C_PATH, C_DOMAIN, false );
Header:
Set-Cookie: TEST=Testing; path=/;HttpOnly;Secure
You also have the HttpOnly flag set - which is not on by default in PHP either. So it might be that these are added by your web server or something else between the client and PHP. Because PHP has no way of enabling these flags by default, you always have to set them explicitely for every setcookie call.
Yet I would recommend using both of them if you use them for PHP.
I only want the session cookie on www.website.tld and www.apps.website.tld, using ini_set if possible. Also i need to set all cookies i write to both subdomains only. I do not want www.imgs.website.tld to have the cookies. the php session one i'm kinda unsure of. The cookies i set my self my idea was to call SetBothCookie($name,$value,$time) a custom function.
function SetBothCookie($name,$value,$time)
{
setcookie($name, $value, $time, "", "www.website.tld", 1);
setcookie($name, $value, $time, "", "www.apps.website.tld", 1);
}
So i think i have the SetBothCookie part down, but wanted to see what others think of that code. The part i'm stuck on is having php set the session cookie on both sub domains. I'm using session_set_save_handler to override the default php session storage to store sessions in the database, so both servers can use the same session data. From my understanding is if i put Javascript that does http requests on the www.apps.website.tld to www.website.tld it won't allow them to happen, and i want that added security, so thats my reason of running only a part of the site on a subdomain.
This function should work but...
Using secure parameter in set_cookie() according to PHP manual
Indicates that the cookie should only
be transmitted over a secure HTTPS
connection from the client. When set
to TRUE, the cookie will only be set
if a secure connection exists. On the
server-side, it's on the programmer to
send this kind of cookie only on
secure connection (e.g. with respect
to $_SERVER["HTTPS"]).
So I suggest to remove 6th parameter of set_cookie() function.
Also, you can call this function before any output or it will throw a warning like
Warning: Cannot modify header
information - headers already sent by
(output started at ...) in ... on line XX
Using session_set_save_handler() is good solution to take control over session variables.
If you want cookies for entire domain just use "/" or ".website.tld" (with initial dot according to RFC 2109 standard) for domain parameter (5th in a row). Parameter path should be "" (empty string; 4th).
I've built a site in CI, and have a login system, which works fine in Firefox but not Chrome or IE. In those two if the username and password are correct it just redirects (i think) back to the login page, not to the login error page, or to the site home (as it should). I've noticed that it doesn't seem to be setting a cookie in Chrome, but it does in FF.
Here's the code in my controller which sets the cookie and redirects after authentication:
$newdata = array(
'username' => $_POST['login_username'],
'real_name' => $name,
'user_id' => $uid,
'logged_in' => TRUE
);
$this->session->set_userdata($newdata);
//echo $newdata;
redirect('/site/index');
Any ideas why this might be happening?
Thanks
I experienced this problem too ... session userdata lost for Chrome and IE, but ok on Firefox. It was due to an incorrect setting in config/config.php
I had to explicitly set cookie_domain
To make it automagic in the future I used this command ... ripped off the CI forums.
$config['cookie_domain'] = str_replace("http:/","",str_replace("https://","", $config['base_url']));
I added this line and all was ok.
Check that $_SESSION really is set. On CI you may need to exit gracefully to flush out whats in $this-sessionto the 'real' session variable.
add a echo serialize($_SESSION) so you know whats going on (before the redir).
and check how to end a Ci-request gracefully.
Adjusting the cookie name can fix the issue in the CI configs to remove underscores works wonders. The article CodeIgniter Session Problem in IE explains the details quite well.
For me it solved just adding more time to the cookie, I had 3600 so I changed to 7200. Seems to be a problem with time on my production site. May help someone.
In my case, the problem was that $config['base_url'] was empty.
So i set it to my domain
$config['base_url'] = 'http://yourdomain.com/';
CodeIgniter has some problem if the specified domain for cookies is localhost, I've set a fake domain with a real domain's name structure into the hosts file and it works.
I came across the snippet below:
setcookie('foo', 'v1', time() + 60*60*24, '/');
setcookie('foo', 'v2');
What is the effect of setting 2
cookies with same name but different
values?
Is it common in practice?
Where is it used?
The above example will simply overwrite the first cookie with the second one. If you want to update a cookie to store a newer value, you can overwrite its value.
Two cookies may have the same name if they were set for different domains or paths. example :
<?php
setcookie("testcookie", "value1forhost", time(), "/", ".domain.com", 0, true);
setcookie("testcookie", "value2forsubdom", time(), "/", "subdom.domain.com", 0, true);
?>
The v1 vs v2 part makes it look like a trick to detect a cookie handling bug in the browser: if foo equals v1, the browser did not process the value change.
It'd be interesting to know about the code context.
Edit
Will it set 2 cookies or will it
overwrite
It depends on where you call the script from. A setcookie() call without a path sets a cookie for current path (where path is an URL path, not the internal file system path). So a call from http://example.com/ would create a single cookie and a call from http://example.com/somewhere/inside/ would crate two separate cookies, one for / and one for /somewhere/inside/.
I think this is not intended. The second cookie call will overwrite the original set cookie. After the first call there is no knowing if browser support is available, as no input from the browser is received when processing a script. A cookie is sent as a HTTP header, and sent back by the browser on consecutive requests.