Firefox and SameSite cookie attribute

Start
Prev
1
Next
End

dhusband
Topic Author
Offline

Posts: 52
Thank you received: 6
Hikashop Business

2 years 3 months ago #344074

-- HikaShop version -- : 4.6.1
-- Joomla version -- : 3.10.10
-- PHP version -- : 7.4.30
-- Browser(s) name and version -- : Firefox
-- Error-message(debug-mod must be tuned on) -- : Cookie “hikashop_cart_id” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite level-2-manual-handling-principle-and-practice

Cookie “hikashop_cart_session_id” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite level-2-manual-handling-principle-and-practice

Firefox has changed security on cookies, which now causes errors if SameSite is not set correctly. Firefox is currently giving various warnings depending on the actions undertaken. Is there any plan to update the values in cookies to stop this or am I missing something in Joomla?
I am not currently seeing the issue on other browsers.

Please Log in or Create an account to join the conversation.

nicolas
Away

Posts: 82863
Thank you received: 13372
MODERATOR

2 years 3 months ago #344076

Hi,

That's not really an error. It just a warning and that warning can be ignored. The cookies work as expected like that.
The cookies are only to provide the cart_id and session_id for the browser to the server, so there is no need for third party context support.

Now, we could potentially add that but with the setcookie function we're using there, it's only possible to set the SameSite attribute with PHP 7.3 or higher. And since we still support older versions of PHP, we can't really use the normal way of setting it.

There is a roundabout way though. Try changing the code:

		if((int)@$this->user->user_id > 0) {
			@setcookie('hikashop_'.$type.'_id', '', time() - 3600, '/');
			@setcookie('hikashop_'.$type.'_session_id', '', time() - 3600, '/');
		} else {
			$delay = (int)$this->config->get('cart_cookie_retaining_period', 31557600);
			@setcookie('hikashop_'.$type.'_id', $element, time() + $delay, "/");
			@setcookie('hikashop_'.$type.'_session_id', $jsession->getId(), time() + $delay, "/");
		}

to:

		if((int)@$this->user->user_id > 0) {
			@setcookie('hikashop_'.$type.'_id', '', time() - 3600, '/; SameSite=Lax');
			@setcookie('hikashop_'.$type.'_session_id', '', time() - 3600, '/; SameSite=Lax');
		} else {
			$delay = (int)$this->config->get('cart_cookie_retaining_period', 31557600);
			@setcookie('hikashop_'.$type.'_id', $element, time() + $delay, "/; SameSite=Lax");
			@setcookie('hikashop_'.$type.'_session_id', $jsession->getId(), time() + $delay, "/; SameSite=Lax");
		}

in the file administrator/components/com_hikashop/classes/cart.php
That should remove these warnings even on older versions of PHP.

Please Log in or Create an account to join the conversation.

Start
Prev
1
Next
End

Time to create page: 0.056 seconds