PHP setcookie “SameSite=Strict”?

by

1. For PHP >= v7.3

You can use the $options array to set the samesite value, for example:

setcookie($name, $value, [
    'expires' => time() + 86400,
    'path' => "https://stackoverflow.com/",
    'domain' => 'domain.example',
    'secure' => true,
    'httponly' => true,
    'samesite' => 'None',
]);

The value of the samesite element should be either None, Lax or Strict.

Read more in the manual page.

2. For PHP < v7.3

You can use one of the following solutions/workarounds depending on your codebase/needs

2.1 Setting SameSite cookies using Apache configuration

You can add the following line to your Apache configuration

Header always edit Set-Cookie (.*) "$1; SameSite=Lax"

and this will update all your cookies with SameSite=Lax flag

See more here: https://blog.giantgeek.com/?p=1872

2.2 Setting SameSite cookies using Nginx configuration

location / {
    # your usual config ...
    # hack, set all cookies to secure, httponly and samesite (strict or lax)
    proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
}

Same here, this also will update all your cookies with SameSite=Lax flag

See more here: https://serverfault.com/questions/849888/add-samesite-to-cookies-using-nginx-as-reverse-proxy

2.3 Setting SameSite cookies using header method

As we know cookies are just a header in HTTP request with the following structure

Set-Cookie: key=value; path=/; domain=example.org; HttpOnly; SameSite=Lax

so we can just set the cookies with header method

header("Set-Cookie: key=value; path=/; domain=example.org; HttpOnly; SameSite=Lax");

In fact, Symfony is not waiting for PHP 7.3 and already doing it under the hood, see here

📝You can use same in Laravel too because Laravel under the hood using Symfony’s Symfony\Component\HttpFoundation\Cookie class

2.4 Setting SameSite cookies using a bug in setcookie method

setcookie('cookie-name', '1', 0, '/; samesite=strict');

Be careful with this one, it’s a known bug in PHP setcookie method and already resolved in PHP7.3 version, see here – https://github.com/php/php-src/commit/5cb825df7251aeb28b297f071c35b227a3949f01

More Related Contents:

  1. How Secure Is This Login System? (Using Cookies In PHP)
  2. How do you set up use HttpOnly cookies in PHP
  3. Session timeouts in PHP: best practices
  4. What encryption algorithm is best for encrypting cookies?
  5. Adding files cookies PHP (host)
  6. How can I secure my source code [closed]
  7. Are PDO prepared statements sufficient to prevent SQL injection?
  8. Why would one omit the close tag?
  9. Reference: What is a perfect code sample using the MySQL extension? [closed]
  10. The ultimate clean/secure function
  11. Exploitable PHP functions
  12. Preventing Directory Traversal in PHP but allowing paths
  13. What is the best way to stop people hacking the PHP-based highscore table of a Flash game
  14. preventing csrf in php
  15. Generating cryptographically secure tokens
  16. Which $_SERVER variables are safe?
  17. PHP – setcookie(); not working
  18. What do I need to store in the php session when user logged in?
  19. PHP Sessions with disabled cookies, does it work?
  20. Is it ever ok to store password in plain text in a php variable or php constant?
  21. PHP – setcookie() not working
  22. Can’t set PHP cookie on the same page
  23. PHP: Cookie domain / subdomain control
  24. Is it secure to store a password in a session? [duplicate]
  25. What security problems could come from exposing phpinfo() to end users?
  26. Setting a cookie in an AJAX request?
  27. Unique key generation
  28. Is it possible to execute PHP with extension file.php.jpg?
  29. Sanitize file path in PHP
  30. When to use filter_input()

Leave a Comment