Framework: SameSite cookie flag not working
- Laravel Version: 5.5.19
- PHP Version: 7.1.3
- Database Driver & Version: MySQL 5.7.17
Description:
SameSite cookie setting is not working.
Steps To Reproduce:
- In file
config/session.phpset'same_site' => 'lax' - Load site.
- Response header
set-cookiedoes not containSameSiteflag.
leonidx86
All 11 comments
Are you using a cached configuration? If so, rebuild it with php artisan config:cache.
sisve
on 30 Oct 2017
Didn't use it before, but ran it now. Same result. However, printing config('session.same_site') returns lax.
leonidx86
on 30 Oct 2017
I can confirm this issue. I found out by debugging that the samesite attribute is added to the header even in Kernel.php so it must be stripped some time later.
ThomHurks
on 5 Dec 2017
@taylorotwell Laravel claims to support the SameSite attribute on cookies (you can set it in config/session.php) but Symfony doesn't support it. Symfony does claim to support it, which is probably what confused the dev who added it to Laravel, but Symfony (in http-foundation/response.php) then calls PHP's setcookie without passing in the SameSite param. This makes sense, since PHP will only support the SameSite param in 7.3. See https://wiki.php.net/rfc/same-site-cookie
Because this is misleading and probably cost several people (including me) hours of trying to debug this issue, I propose removing the config option from Laravel until 1) PHP 7.3 is released and 2) Symfony actually passes the param to setcookie. Does that seem fair?
ThomHurks
on 5 Dec 2017
I also reported this with Symfony https://github.com/symfony/symfony/issues/25344
ThomHurks
on 5 Dec 2017
They made a blog post about it as well. Strange that its been over a year and doesn't work at all?
httpfoundation improvements
devcircus
on 5 Dec 2017
Yes it seems they just accepted the PR and never checked if it actually worked. A bit sloppy...
ThomHurks
on 5 Dec 2017
And what does this show about our own QA process? ...
sisve
on 6 Dec 2017
Just so you know this was working on previous versions of symfony, you can check here:
The samesite was being set using headers and not the setcookie, this is also the proposed fix for symfony 3.3 on https://github.com/symfony/symfony/pull/25348.
But yeah i agree I should've created better tests for this feature instead of assuming that symfony would set it properly and wouldn't break it afterwards.
fernandobandeira
on 6 Dec 2017
Seems in the past the cookies were set twice then, once using headers and also using setcookie(). When they fixed that they broke the SameSite functionality then. However, it might be a good idea to cross-reference PHP's implementation so Symfony doesn't have any regressions when using its own implementation. I mentioned that in the PR.
ThomHurks
on 6 Dec 2017
The issue seems to be resolved. Checked both "strict" and "lax" settings on Laravel 5.6.38 and Symphony 4.1.5.
leonidx86
on 1 Oct 2018
Related issues
RomainSauvaire
路
3Comments
SachinAgarwal1337
路
3Comments
ghost
路
3Comments
shopblocks
路
3Comments
YannPl
路
3Comments
Most helpful comment
Just so you know this was working on previous versions of symfony, you can check here:
https://github.com/iangcarroll/symfony/blob/38e903999883f0c159d20308765884122d7ee1f7/src/Symfony/Component/HttpFoundation/Response.php#L337.
The samesite was being set using headers and not the setcookie, this is also the proposed fix for symfony 3.3 on https://github.com/symfony/symfony/pull/25348.
But yeah i agree I should've created better tests for this feature instead of assuming that symfony would set it properly and wouldn't break it afterwards.