the server is running PHP Version 5.4.45 Google Chrome will limit Cross-Site Tracking by default beginning February 4, 2020. Which will cause problems for a Procurement Application that connections to our website via an iframe
I need to set the session cookie with SameSite=None; Secure;
Any suggestions will be greatly appreciated
Thanks
SameSite is available from php version >= 7.3, in php.ini and in session_set_cookie_params() if used in the form session_set_cookie_params(array $options): bool
About php version < 7.3... I honestly don't know if usingheader()would override the options set by session_start(). it could, maybe I'll try and update the answer.
I did a simple test with php:5.6-cli (docker image, I think it was 5.6.40) and it seems to work as expected:
session_start();
header('Set-Cookie: ' . session_name() . '=' . session_id() . '; SameSite=None; Secure');
By default this version of php set the session cookie only with key=value; path=/, using header() is overwritten, only one cookie is sent in the response, and only with SameSite=none; Secure (verified in Chromium cookies, and wireshark packets)
However, I would recommend testing with the version of php you are using, the behavior may change.
Personally I am thinking of not using session_start(), storing sessions in a db and using normal cookies set with header().
For end-of-life versions of PHP like this, primarily you should upgrade as you are already exposing yourself to a number of known security vulnerabilities.
However, to patch this, you will need to update the places where you may be using setcookie() to manually set the header, e.g.
header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure');
