It looks like you're new here. If you want to get involved, click one of these buttons!
Standard install of Fuel 1.5.1
Cannot login to Fuel dashboard, reports:
Debugging Fuel->Login.php controller, $this->_is_valid_csrf() fails, $this->_session_csrf() is empty
Browser console reports:
Cookie “my_session” rejected because it has the “SameSite=None” attribute but is missing the “secure” attribute.
The same session cookie is generated on my dev box and login works fine. This problem is on a new production server.
How can I set the "secure" attribute for my session cookies?
Try setting the following to true in fuel/application/config/config.php:
What did, for me on my server, was this at the top of the config.php:
I think CSRF cookies and the cookie section of config.php are independent.
The whole cookie security thing seems to be a bugbear for the CI3.x community with no final solution to the desire to have a single location where all cookie settings can be set/configured. It's getting more important now that browsers are tightening the screws.
That makes sense. The _session_csrf uses native
$_SESSIONinstead of CI's session (see Fuel_base_controller). Could potentially be ported to use $CI's session.