php-crud-api
php-crud-api copied to clipboard
mevdschee
MIDDLEWARE - dbAuth - PHPSESSID Cookie - SameSite Option
is there a way to set, in the PHPSESSID, the option SameSite to "none"? my devel db is on another machine and the browser defaults its value to SameSite="Lax", blocking it
I've added this: session_set_cookie_params(['samesite' => 'None', 'secure' => true]); at line 7864.. just before start_session(); this seems to do the trick..
there are other start_session() on other middleware (maybe 3 or so?)
could be nice to have a config option for that ;)
Related: https://github.com/mevdschee/php-crud-api/issues/827#issuecomment-1012048398
what about this approach?
if (session_status() == PHP_SESSION_NONE) {
if (!headers_sent()) {
$sessionName = $this->getProperty('sessionName', '');
if ($sessionName) {
session_name($sessionName);
}
if(isset($body->allowSameSite)) {
session_set_cookie_params(['samesite' => 'None', 'secure' => true]);
}
session_start();
}
}
has this feature been merged?
No, as I still have some doubts about the code.
What is $body->allowSameSite do? Also, this syntax for session_set_cookie_params is not supported in PHP < 7.3.
Why do we need SameSite set to None, is Lax not good enough?
How about this code instead?
if (!ini_get('session.cookie_samesite')) {
ini_set('session.cookie_samesite', $this->getProperty('sameSite', 'Lax'));
}
if (!ini_get('session.cookie_httponly')) {
ini_set('session.cookie_httponly', 1);
}
if (!ini_get('session.cookie_secure') && isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
ini_set('session.cookie_secure', 1);
}
Please let me know what you think, your input is much appreciated.
Well actually I don't remember and (considering my php knowledge) I don't Kwon what I did think that code would have done.. Actually I've only texted you to understand if we had moved forward from that point.
Would u exclude to give tue possibility to disable the same site setting overriding the php.ini config?
If u e.g. don't have access to php.ini config and use the api cross site you would find yourself in troubles.
We could add a cors setting like cors.disableSameSite to set samesite to none and secure to true.
Does it sound?
Actually I only text you to understand if we had moved forward from that point.
Well, we haven't, since it is not an easy issue. Note that I am not against assuming that people aren't able to configure their PHP correctly (through php.ini or php_flag in .htaccess), so I'm willing to make a change to the code.
overriding the php.ini config?
I guess we should override the php.ini setting right? Or shouldn't we? The ini setting is not set by default.
We could add a cors setting like cors.disableSameSite to set samesite to none and secure to true.
Communication between subdomains (such as api.yourdomain.com and app.yourdomain.com) is allowed without having to set 'SameSite' to 'None'.
I'm not entirely sure what the defaults should be. It feel it may be a trade-off between security and convenience.
Well actually that solution would just be an escape path in very particular situations, so it should be used carefully and with conscience. Your argumentation is more than reasonable.