DEVHIDE
Login Or Sign up

Symfony 3.2, authentification and cross-site cookies

1.5k Views Asked by At

I know that Symfony 3.2 is not maintained for very long time, but it happens that my company use it. And now we have a problem with authentifacation. We have widget that can be (and is) installed on multiple sites, so user can log in there. But database and backend code in Symfony 3.2 is stored in our site. And for authentification we use standard Symfony cookies, which are in our case cross-site. But now Google Chrome is restricted access to cross-domain cookies which are not marked as SameSite=None. So authentification in Chrome doesn't work anymore. I know that in Symfony 4.2 I can solve this problem by setting security parameter in security.yaml. But in Symfony 3.2 it doesn't work. Is there any way to solve this problem except for upgrade to Symfony 4?

symfony cookies symfony-3.2
Original Q&A
1

There are 1 best solutions below

0
rowan_m On

From https://github.com/GoogleChromeLabs/samesite-examples/blob/master/php.md

As of PHP 7.3.0 the setcookie() method supports the SameSite attribute in its options and will accept None as a valid value.

// Set a same-site cookie for first-party contexts
setcookie('cookie1', 'value1', ['samesite' => 'Lax']);
// Set a cross-site cookie for third-party contexts
setcookie('cookie2', 'value2', ['samesite' => 'None', 'secure' => true]);

For earlier versions of PHP, you can also set the header() directly:

// Set a same-site cookie for first-party contexts
header('Set-Cookie: cookie1=value1; SameSite=Lax', false);
// Set a cross-site cookie for third-party contexts
header('Set-Cookie: cookie2=value2; SameSite=None; Secure', false);

For Session Cookie , you can set into session_set_cookie_params method. PHP 7.3.0 introduced new attributes for samesite.

if (PHP_VERSION_ID >= 70300) { 
session_set_cookie_params([
    'lifetime' => $cookie_timeout,
    'path' => '/',
    'domain' => $cookie_domain,
    'secure' => $session_secure,
    'httponly' => $cookie_httponly,
    'samesite' => 'Lax'
]);
} else { 
session_set_cookie_params(
    $cookie_timeout,
    '/; samesite=Lax',
    $cookie_domain,
    $session_secure,
    $cookie_httponly
);
}

There are third-party packages, such as delight-im/PHP-Cookie, which supports the SameSite attribute and the None value (since v3.2) on PHP 5.4.0+.

Related Questions in SYMFONY

Related Questions in COOKIES

Related Questions in SYMFONY-3.2

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.