SameSite cookies to None

[fliwire]

Hi, after redirect to payment page processwire session lost because of samesite cookies changed default to "lax".

https://web.dev/samesite-cookies-explained/

tried to hook session::init but not works ?

$wire->addHookBefore("Session::init", function (HookEvent $event) {
    ini_set('session.cookie_samesite', 'None');
    session_set_cookie_params(['samesite' => 'None']);
});

set by htaccess works
 

<ifmodule mod_headers.c>
	Header always edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</ifmodule> 

 

[fliwire]

no one same issue ?: 

session lost after payment ?

[j-w]

Hi there!

I've also been having issues regarding "SameSite". As I'm coming different requirements I can't provide you a direct solution but only point out some things for you to check.

- One thing is the session cookie ("wires"), another thing is the cookie that verifies the session ("wires_challenge"). With `ini_set('session.cookie_samesite', 'None');` you only set "SameSite" for the session cookie and not the other one. "wires_challenge" can be enabled/disabled in config.php. Have a try disabling it to see if you're still logged in after payment. If this works and you want to enable it again, then you might need to recreate it with the "SameSite" option and overwrite the previously set one. Check the code in "core/Session.php" for how this cookie is created. Unfortunately I haven't found a simpler way yet to set "SameSite" on the "wires_challenge" cookie.

- If you're using ajax requests from a different domain to PW you need to use the option "withCredentials" to pass the relevant cookies. Also be sure to set any required access-control headers for cross-domain requests (I assume redirects will also require this).

Hope this helps... good luck!