Browsers have recently tightened security measures. If you see a warning regarding the SameSite attribute on your site, it means you must explicitly tell the browser how to handle your cookies in different contexts.
What is SameSite?
The SameSite attribute in the HTTP cookie header controls when a cookie is sent to the server. Its main purpose is to protect against:
- CSRF Attacks: Prevents malicious sites from exploiting your active user session.
- Information Leakage: Limits the sharing of cookies across different domains.
Possible Attribute Values
- Strict: The strictest setting. The cookie is only sent if the request originates from the same domain.
- Lax: The safe default. The cookie is sent during navigation within the same domain and for some top-level external links, but not in iframes.
- None; Secure: The cookie is always sent, including in third-party contexts. Required to be used with a secure HTTPS connection.
How to Solve it in Code
PHP (7.3+)
setcookie("PH_HPXY_CHECK", "value", [
"SameSite" => "None",
"Secure" => true, // Mandatory for None
"HttpOnly" => true
]);JavaScript
document.cookie = "PH_HPXY_CHECK=value; SameSite=None; Secure";Nginx / Apache
If setting cookies at the server level:
# Nginx
add_header Set-Cookie "PH_HPXY_CHECK=value; Path=/; SameSite=None; Secure";
Apache
Header always add Set-Cookie "PH_HPXY_CHECK=value; Path=/; SameSite=None; Secure"