The cookie needs one more attribute sameSite https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

If there’s no activity I’ll do a pr

@dgrammatiko Do it please.

Actually, this is another rabbit hole. PHP >7.3 supports setting sameSite for a cookie but ppl already polyfilled it: https://gist.github.com/bohwaz/f7c7cc08fa11399f485be3e65f19a4f4

This is getting a bit too much, I thought this would be adding a param to setcookie

support only PHP >7.4 #31881

#25414 related ?

@dgrammatiko I have a PR for this but I didn't fixed it yet... #25414

@HLeithner looking good. You know you have to backport this to 3.x

I can't replicate your this error message with chrome beta 88.0.4324.104 on http und https on my test server... and I don't think we need to change anything because we don't send none or any other value with the session by default.

Well, I've used Firefox. But if you say I can close my issue, I'm ok with it, just let me know.

right firefox isn't happy...

but the documentation is strange too:

Not sure what old means

Old ... haha .. I have latest Firefox 84.0.2 (64 bit) for Windows. Is that old already? ;-)

Any change must be added to J3 too!
Already all my clients open ticket for this issue. My hands are tied on PHP 7.3+, so please consider to add "samesite" param

https://joomla.stackexchange.com/questions/26804/do-cookies-set-by-joomla-need-changes-because-of-the-new-samesite-requirement/28736#28736

Any change must be added to J3 too!

Hmm, here on my testing environments I don't get that issue with J3, same server, same PHP version and so on all the same.

Set PHP to 7.4 will fix this easy

I've just updated Firefox to latest 85.0 and still get the issue.

Because it's too old ;)

In developer tools of Firefox when I check the cookie in storage I get:

When doing the same in Google Chrome, the values for "Secure" and "SameSite" are empty.

@HLeithner @dgrammatiko I tend to close this issue as being a Firefox issue. Do you agree?

@richard67 it's also an issue for all Chromium browsers (If the domain is not localhost and not HTTPS), this is my localhost for some time now:

Well, that seems to be another issue than the samesite warning (but of course for the same thing, our cookie). Maybe in my case it is related to me using a self-signed SSL certificate?

@richard67 wait, if you have a certificate your screenshot is wrong, the HttpOnly should be false!

Or Firefox is wrong, assuming wrong values for empty things.

The certificate is self-signed, so Firefox shows the connection as "not secure" while using https.

I have to test later on one of my subdomains where I have real certificates.

Hmm, same on a subdomain with valid certificate and shown as "secure" by Firefox, and with PHP 8 instead of 7.3 like before.

So as we can see, the comment "Set PHP to 7.4 will fix this easy" by @chnnst above was pure nonsense.

richard67 where is your pr in which joomla can use only php 7.4 ?

If you are using PHP 7.4, yes you can use ini_set to workaround this issue.

However, ini_set('cookie_samesite') does not work in PHP Version <= 7.2.
I am sure PHP 7.3 do not support the value 'None'

I am sure there is no option for < 7.4

I tested it on my test website with https and I don't get this message in Firefox version 106.0.5 with Joomla 4.2.5. Can we close this issue?

yes for sure