Session Cookie settings samesite none

[spiroue]

Hi,

I have clients using a processwire site from with other applications (eg browsers in those apps) previously the site was locked down on IP ranges and login was not required. Now that is changed and login is required. One of the clients now get 500 internal server error when trying to login. I think it is related to the session cookies. This is what I've tried:

In httpd.conf:
Header always set Content-Security-Policy "frame-ancestors 'self' client1.domain.com client2.domain.com";
This I can see also see is set by looking at the headers.

Then I'm trying to set SameSite=None wich I can't get to be working, I've tried:

In .htaccess:
Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=None

In site/config.php:
ini_set('session.cookie_samesite', 'None');

and...

$config->cookieOptions = [
  'secure' => true,
  'samesite' => 'None',
]

But still cookies looks like this:



Does anyone have an idea why the cookie options seems to be the same, no matter how I configure above?
And do you believe I'm on the the right path solving the issue or can it be something else?

Running an old Processwire 3.0.123-0

Thanks

[spiroue]

Learning more I think the best choice is to upgrade to the latest version where there is support for SameSite. Does anyone now if there is a appgrade path from 123 or can one go directly to latest?