J4 Issue No Code Attached Yet
avatar richard67
richard67
24 Jan 2021

Steps to reproduce the issue

On a clean, current 4.0-dev or latest 4.0 nightly, start a new installation while watching the browser console, i.e. watch the console while entering the URL to your Joomla site in a new, empty tab.

Expected result

Empty browser console.

Actual result

Warning in browser console about wrong SameSite attribute for the session cookie when starting a new installation:

2021-01-24_03

System information (as much as possible)

Current 4.0-dev, PHP 7.3, Firefox browser.

Additional comments

Later in backend or frontend I don't get that warning, so it seems there has been done something in past, but the installation has been forgotten. I just don't find it right now.

Ping @zero-24 .

avatar richard67 richard67 - open - 24 Jan 2021
avatar joomla-cms-bot joomla-cms-bot - change - 24 Jan 2021
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 24 Jan 2021
avatar richard67 richard67 - change - 24 Jan 2021
The description was changed
avatar richard67 richard67 - edited - 24 Jan 2021
avatar richard67 richard67 - change - 24 Jan 2021
The description was changed
avatar richard67 richard67 - edited - 24 Jan 2021
avatar richard67 richard67 - change - 24 Jan 2021
Build staging 4.0-dev
avatar richard67 richard67 - change - 24 Jan 2021
Category Installation
avatar richard67 richard67 - change - 24 Jan 2021
Labels Added: J4 Issue
avatar richard67 richard67 - labeled - 24 Jan 2021
avatar richard67 richard67 - change - 24 Jan 2021
The description was changed
avatar richard67 richard67 - edited - 24 Jan 2021
avatar richard67 richard67 - change - 24 Jan 2021
The description was changed
avatar richard67 richard67 - edited - 24 Jan 2021
avatar dgrammatiko
dgrammatiko - comment - 24 Jan 2021

The cookie needs one more attribute sameSite https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

If there’s no activity I’ll do a pr

avatar richard67
richard67 - comment - 24 Jan 2021

@dgrammatiko Do it please.

avatar dgrammatiko
dgrammatiko - comment - 25 Jan 2021

Actually, this is another rabbit hole. PHP >7.3 supports setting sameSite for a cookie but ppl already polyfilled it: https://gist.github.com/bohwaz/f7c7cc08fa11399f485be3e65f19a4f4

This is getting a bit too much, I thought this would be adding a param to setcookie

avatar chnnst
chnnst - comment - 25 Jan 2021

support only PHP >7.4 #31881

avatar chnnst
chnnst - comment - 25 Jan 2021

#25414 related ?

avatar richard67 richard67 - change - 25 Jan 2021
The description was changed
avatar richard67 richard67 - edited - 25 Jan 2021
avatar HLeithner
HLeithner - comment - 25 Jan 2021

@dgrammatiko I have a PR for this but I didn't fixed it yet... #25414

avatar dgrammatiko
dgrammatiko - comment - 25 Jan 2021

@HLeithner looking good. You know you have to backport this to 3.x

avatar HLeithner
HLeithner - comment - 25 Jan 2021

I can't replicate your this error message with chrome beta 88.0.4324.104 on http und https on my test server... and I don't think we need to change anything because we don't send none or any other value with the session by default.

avatar richard67
richard67 - comment - 25 Jan 2021

Well, I've used Firefox. But if you say I can close my issue, I'm ok with it, just let me know.

avatar HLeithner
HLeithner - comment - 25 Jan 2021

right firefox isn't happy...

but the documentation is strange too:
image

Not sure what old means

avatar richard67
richard67 - comment - 25 Jan 2021

Old ... haha .. I have latest Firefox 84.0.2 (64 bit) for Windows. Is that old already? ;-)

avatar zstergios
zstergios - comment - 26 Jan 2021

Any change must be added to J3 too!
Already all my clients open ticket for this issue. My hands are tied on PHP 7.3+, so please consider to add "samesite" param

https://joomla.stackexchange.com/questions/26804/do-cookies-set-by-joomla-need-changes-because-of-the-new-samesite-requirement/28736#28736

avatar richard67
richard67 - comment - 26 Jan 2021

Any change must be added to J3 too!

Hmm, here on my testing environments I don't get that issue with J3, same server, same PHP version and so on all the same.

avatar chnnst
chnnst - comment - 26 Jan 2021

Set PHP to 7.4 will fix this easy

avatar richard67
richard67 - comment - 27 Jan 2021

I've just updated Firefox to latest 85.0 and still get the issue.

avatar HLeithner
HLeithner - comment - 27 Jan 2021

Because it's too old ;)

avatar richard67
richard67 - comment - 27 Jan 2021

In developer tools of Firefox when I check the cookie in storage I get:
2021-01-27_01

When doing the same in Google Chrome, the values for "Secure" and "SameSite" are empty.

avatar richard67
richard67 - comment - 27 Jan 2021

@HLeithner @dgrammatiko I tend to close this issue as being a Firefox issue. Do you agree?

avatar dgrammatiko
dgrammatiko - comment - 27 Jan 2021

@richard67 it's also an issue for all Chromium browsers (If the domain is not localhost and not HTTPS), this is my localhost for some time now:

Screenshot 2021-01-27 at 12 52 03

avatar richard67
richard67 - comment - 27 Jan 2021

Well, that seems to be another issue than the samesite warning (but of course for the same thing, our cookie). Maybe in my case it is related to me using a self-signed SSL certificate?

avatar dgrammatiko
dgrammatiko - comment - 27 Jan 2021

@richard67 wait, if you have a certificate your screenshot is wrong, the HttpOnly should be false!

avatar richard67
richard67 - comment - 27 Jan 2021

Or Firefox is wrong, assuming wrong values for empty things.

avatar richard67
richard67 - comment - 27 Jan 2021

The certificate is self-signed, so Firefox shows the connection as "not secure" while using https.

avatar richard67
richard67 - comment - 27 Jan 2021

I have to test later on one of my subdomains where I have real certificates.

avatar richard67
richard67 - comment - 27 Jan 2021

Hmm, same on a subdomain with valid certificate and shown as "secure" by Firefox, and with PHP 8 instead of 7.3 like before.

So as we can see, the comment "Set PHP to 7.4 will fix this easy" by @chnnst above was pure nonsense.

avatar chnnst
chnnst - comment - 13 Feb 2021

richard67 where is your pr in which joomla can use only php 7.4 ?

avatar chnnst
chnnst - comment - 13 Feb 2021

If you are using PHP 7.4, yes you can use ini_set to workaround this issue.

However, ini_set('cookie_samesite') does not work in PHP Version <= 7.2.
I am sure PHP 7.3 do not support the value 'None'

I am sure there is no option for < 7.4

Add a Comment

Login with GitHub to post a comment