CRITICAL SECURITY VERSION UPDATE:
https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.13

Cookie “my_session” rejected because it has the “SameSite=None”

almostcompletelyalmostcompletely
in Bug Reports

Standard install of Fuel 1.5.1
Firefox: 96
Chrome: 97.0.4692.99

Cannot login to Fuel dashboard, reports:
"Invalid submission"

Debugging Fuel->Login.php controller, $this->_is_valid_csrf() fails, $this->_session_csrf() is empty

Browser console reports:
Cookie “my_session” rejected because it has the “SameSite=None” attribute but is missing the “secure” attribute.

The same session cookie is generated on my dev box and login works fine. This problem is on a new production server.

How can I set the "secure" attribute for my session cookies?

Comments

  • adminadmin

    Try setting the following to true in fuel/application/config/config.php:

    $config['cookie_secure']    = TRUE;
  • almostcompletelyalmostcompletely

    Didn't work.

    What did, for me on my server, was this at the top of the config.php:
    ini_set('session.cookie_samesite', 'Lax');
    ini_set('session.cookie_secure', TRUE);

    I think CSRF cookies and the cookie section of config.php are independent.
    The whole cookie security thing seems to be a bugbear for the CI3.x community with no final solution to the desire to have a single location where all cookie settings can be set/configured. It's getting more important now that browsers are tightening the screws.

  • adminadmin

    That makes sense. The _session_csrf uses native $_SESSION instead of CI's session (see Fuel_base_controller). Could potentially be ported to use $CI's session.

Sign In or Register to comment.