On a clean, current 4.0-dev or latest 4.0 nightly, start a new installation while watching the browser console, i.e. watch the console while entering the URL to your Joomla site in a new, empty tab.
Empty browser console.
Warning in browser console about wrong SameSite attribute for the session cookie when starting a new installation:
Current 4.0-dev, PHP 7.3, Firefox browser.
Later in backend or frontend I don't get that warning, so it seems there has been done something in past, but the installation has been forgotten. I just don't find it right now.
Ping @zero-24 .
Labels |
Added:
?
|
Build | staging | ⇒ | 4.0-dev |
Category | ⇒ | Installation |
Labels |
Added:
J4 Issue
|
@dgrammatiko Do it please.
Actually, this is another rabbit hole. PHP >7.3 supports setting sameSite
for a cookie but ppl already polyfilled it: https://gist.github.com/bohwaz/f7c7cc08fa11399f485be3e65f19a4f4
This is getting a bit too much, I thought this would be adding a param to setcookie
@dgrammatiko I have a PR for this but I didn't fixed it yet... #25414
@HLeithner looking good. You know you have to backport this to 3.x
I can't replicate your this error message with chrome beta 88.0.4324.104 on http und https on my test server... and I don't think we need to change anything because we don't send none or any other value with the session by default.
Well, I've used Firefox. But if you say I can close my issue, I'm ok with it, just let me know.
Old ... haha .. I have latest Firefox 84.0.2 (64 bit) for Windows. Is that old already? ;-)
Any change must be added to J3 too!
Already all my clients open ticket for this issue. My hands are tied on PHP 7.3+, so please consider to add "samesite" param
Any change must be added to J3 too!
Hmm, here on my testing environments I don't get that issue with J3, same server, same PHP version and so on all the same.
Set PHP to 7.4 will fix this easy
I've just updated Firefox to latest 85.0 and still get the issue.
Because it's too old ;)
@HLeithner @dgrammatiko I tend to close this issue as being a Firefox issue. Do you agree?
@richard67 it's also an issue for all Chromium browsers (If the domain is not localhost and not HTTPS), this is my localhost for some time now:
Well, that seems to be another issue than the samesite warning (but of course for the same thing, our cookie). Maybe in my case it is related to me using a self-signed SSL certificate?
@richard67 wait, if you have a certificate your screenshot is wrong, the HttpOnly should be false!
Or Firefox is wrong, assuming wrong values for empty things.
The certificate is self-signed, so Firefox shows the connection as "not secure" while using https.
I have to test later on one of my subdomains where I have real certificates.
richard67 where is your pr in which joomla can use only php 7.4 ?
If you are using PHP 7.4, yes you can use ini_set to workaround this issue.
However, ini_set('cookie_samesite') does not work in PHP Version <= 7.2.
I am sure PHP 7.3 do not support the value 'None'
I am sure there is no option for < 7.4
I tested it on my test website with https and I don't get this message in Firefox version 106.0.5 with Joomla 4.2.5. Can we close this issue?
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-11-12 12:39:05 |
Closed_By | ⇒ | alikon | |
Labels |
Added:
No Code Attached Yet
Removed: ? |
yes for sure
The cookie needs one more attribute sameSite https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
If there’s no activity I’ll do a pr