Setting session.cookie_samesite=None in php ini does not set attribute of session samesite

Bug #1905109 reported by Bob Tanner on 2020-11-21
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php
Unknown
Unknown
php7.2 (Ubuntu)
Undecided
Unassigned
Bionic
Wishlist
Unassigned

Bug Description

I think this issue is related to the bug tracked at https://bugs.php.net/bug.php?id=78651

Test script:
------------
<?php

session_set_cookie_params([
    'SameSite' => 'None',
    'Secure' => true
]);

session_start();
var_dump($_SESSION);
?>

Developer Tools results of the script run with php7.2 and Chrome 87.0.4280.67 show a checkmark in the Secure column, nothing/blank in the SameSite column, Medium in the Priority column.

Developer Tools results of the script run with php7.4 and Chrome 87.0.4280.67 show a checkmark in the Secure column, "None" (no quotes" in the SameSite column, Medium in the Priority column.

Revision history for this message
Bryce Harrington (bryce) wrote :

To clarify, you're saying it works properly for you with php7.4 but not with php7.2? If that's true then there might be a patch to pull from upstream, although the bug you link isn't pointing to one, just a doc fix.

Also, what version of Ubuntu are you running? We only have php7.2 on bionic (18.04), would I guess correctly that's what you're on?

Changed in php-defaults (Ubuntu):
status: New → Incomplete
Bryce Harrington (bryce) on 2020-11-24
affects: php-defaults (Ubuntu) → php7.2 (Ubuntu)
Revision history for this message
Bob Tanner (tanner) wrote :

I believe this is the upstream change log entry that address the SameSite cookie issue I'm experiencing with the bionic php7.2 packaged.

https://www.php.net/ChangeLog-7.php#7.2.34

Added support for the SameSite cookie directive, including an alternative signature for setcookie(), setrawcookie() and session_set_cookie_params().

My fault for not including all information.

cat /etc/issue
Ubuntu 18.04.5 LTS \n \l

php7.2.24-0ubuntu0.18.04.7

Revision history for this message
Bob Tanner (tanner) wrote :

Maybe this commit?

commit 2b58ab23c6ad3301b31a2015f5faa31801147dfd
Author: Pedro Magalhães <email address hidden>
Date: Thu Jul 19 02:40:39 2018 +0100

    Support for samesite cookies with array syntax

    Allows using an alternative array argument with
    support for the samesite option on the following
    functions:
    setcookie
    setrawcookie
    session_set_cookie_params

Revision history for this message
Bob Tanner (tanner) wrote :
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks for the pointers Bob, that patch does indeed look like a fix for this. I notice there was also a subsequent bugfix for https://bugs.php.net/patch-display.php?bug_id=77612.

Changed in php7.2 (Ubuntu):
status: Incomplete → Triaged
Changed in php7.2 (Ubuntu Bionic):
status: New → Triaged
Revision history for this message
Bryce Harrington (bryce) wrote :

I'm setting the bug to wishlist since the patch adds a new functionality for php7.2.

The stable release update (SRU) policy for Ubuntu permits regression fixes but typically does not allow new features unless there is a very compelling reason. So I'm unsure we'll be able to move forward with a fix for this in bionic, at least not through the SRU process.

Changed in php7.2 (Ubuntu Bionic):
importance: Undecided → Wishlist
Revision history for this message
Bob Tanner (tanner) wrote :

If this php7.2 bug is not fixed the changes to cookies defaults in Chrome 80+ breaks many sites.

Like a webhook call back from PayPal (my problem) but any web site the requires SameSite=None will be broken.

Revision history for this message
Bryce Harrington (bryce) wrote :

Hi Bob, thanks for the quick reply with the note about the impact. That may impact the importance of the issue if we can understand it better.

If we will move forward with an SRU fix, we must be able to explain to the SRU review team precisely how users will be affected, and include a cohesive test case that can be run to verify the issue and its fix. Particularly so in this case since the patch is on the larger side, and as such has a higher regression risk (which means less likelihood of acceptance by the SRU team). So the more compelling the problem statement, and the more clear the test case, the better our chances.

Can you elaborate a further on what the breakages will look like?

Changed in php7.2 (Ubuntu Bionic):
status: Triaged → Incomplete
Revision history for this message
Bob Tanner (tanner) wrote :

Getting past a SRU review is a heavy lift without a guaranteed successful outcome/fix/patch.

I've convinced the powers that be to allow me to use a php7.4 PPA to fix the bug.

I'll state this again.

I'm surprised more people have not opened bugs or complained. As a php developer attempting to use PayPal Payflow Pro anyone with Chrome 80+ will not be able to use your web site with the bug in current release of php in bionic.

You can close this bug.

Thank you.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Bob, glad to hear that you found a workaround for yourself. But still for the overall user-base it would help a lot if we can make an SRU of it, but for that a good case is needed.
Even with you having found your own workaround it would be great if you could provide a detailed answer to the question of Bryce "Can you elaborate a further on what the breakages will look like?"

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.