Samesite cookie requirement

**simon1066** · 22 Oct 2020, 11:18 AM

I've seen a number of posts referencing the samesite cookie requirement now being enforced by browsers. The effect of which seems to be issues checking out with certain payment modules and browser console warnings, the latter of which may be affecting SE rankings if I read this post correctly, https://www.zen-cart.com/showthread....85#post1374085

I see that a fix is included in the upcoming release of ZC v1.57a. In the interim and for those who are not ready to upgrade to that version, should the v1.57a changes to the two occurrences of init_sessions.php be applied to all older ZC versions?

**dbltoe** · 22 Oct 2020, 11:41 AM

Check out the fix at https://www.zen-cart.com/showthread....85#post1374085

**simon1066** · 22 Oct 2020, 11:55 AM

Originally Posted by dbltoe

Check out the fix at https://www.zen-cart.com/showthread....85#post1374085

Yes that's the post I referred to. Although the code is slightly different in the v1.57a release, being:

Code:

//session_set_cookie_params(0, $path, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, TRUE);
$samesite = (defined('COOKIE_SAMESITE')) ? COOKIE_SAMESITE : 'lax';
if (!in_array($samesite, array('lax', 'strict', 'none'))) $samesite = 'lax';

if (PHP_VERSION_ID < 70300) {
    session_set_cookie_params(0, $path .'; samesite='.$samesite, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, TRUE);
} else {
    session_set_cookie_params(array(
        'lifetime' => 0,
        'path' => $path,
        'domain' => (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''),
        'secure' => $secureFlag,
        'httponly' => TRUE,
        'samesite' => $samesite
    ));
} else {
  session_set_cookie_params(0, $path, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, true);
  ini_set('session.cookie_samesite', $samesite);
}

**simon1066** · 22 Oct 2020, 12:03 PM

Originally Posted by simon1066

Yes that's the post I referred to. Although the code is slightly different in the v1.57a release, being:

Code:

//session_set_cookie_params(0, $path, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, TRUE);
$samesite = (defined('COOKIE_SAMESITE')) ? COOKIE_SAMESITE : 'lax';
if (!in_array($samesite, array('lax', 'strict', 'none'))) $samesite = 'lax';

if (PHP_VERSION_ID < 70300) {
    session_set_cookie_params(0, $path .'; samesite='.$samesite, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, TRUE);
} else {
    session_set_cookie_params(array(
        'lifetime' => 0,
        'path' => $path,
        'domain' => (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''),
        'secure' => $secureFlag,
        'httponly' => TRUE,
        'samesite' => $samesite
    ));
} else {
  session_set_cookie_params(0, $path, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, true);
  ini_set('session.cookie_samesite', $samesite);
}

Sorry the above code is incorrect, from github it is:

Code:

$samesite = (defined('COOKIE_SAMESITE')) ? COOKIE_SAMESITE : 'lax';
if (!in_array($samesite, ['lax', 'strict', 'none'])) $samesite = 'lax';


if (PHP_VERSION_ID >= 70300) {
  session_set_cookie_params([
    'lifetime' => 0,
    'path' => $path,
    'domain' => (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''),
    'secure' => $secureFlag,
    'httponly' => true,
    'samesite' => $samesite,
  ]);
} else {
  session_set_cookie_params(0, $path, (zen_not_null($cookieDomain) ? $domainPrefix . $cookieDomain : ''), $secureFlag, true);
  ini_set('session.cookie_samesite', $samesite);
}

**lat9** · 22 Oct 2020, 01:12 PM

Originally Posted by simon1066

I've seen a number of posts referencing the samesite cookie requirement now being enforced by browsers. The effect of which seems to be issues checking out with certain payment modules and browser console warnings, the latter of which may be affecting SE rankings if I read this post correctly, https://www.zen-cart.com/showthread....85#post1374085

I see that a fix is included in the upcoming release of ZC v1.57a. In the interim and for those who are not ready to upgrade to that version, should the v1.57a changes to the two occurrences of init_sessions.php be applied to all older ZC versions?

Originally Posted by dbltoe

Check out the fix at https://www.zen-cart.com/showthread....85#post1374085

Yes, that code I posted is slightly different from the implementation chosen for Zen Cart base inclusion. I'll note that I've seen some sites where ini_set is in the PHP 'disallowed' functions list; that's why I've chosen that alternate implementation.