SameSite=None; Secure Cookie Settings

Discuss general development subjects that are not specific to a particular version like the versioning control system we use or other infrastructure.
Post Reply
janus
Registered User
Posts: 28
Joined: Thu Nov 26, 2015 1:06 pm

SameSite=None; Secure Cookie Settings

Post by janus »

Any plans to make phpbb ready for SameSite=None; Secure Cookie Settings?
https://www.smarthostingplans.com/uncat ... -settings/

I understand the only thing to change is:
Open: [ROOT]/phpbb/session.php
Find

Code: Select all

header('Set-Cookie: ' . $name_data . (($cookietime) ? '; expires=' . $expire : '') . '; path=' . $config['cookie_path'] . $domain . ((!$config['cookie_secure']) ? '' : '; secure') . ';' . (($httponly) ? ' HttpOnly' : ''), false);
Replace with

Code: Select all

header('Set-Cookie: ' . $name_data . (($cookietime) ? '; expires=' . $expire : '') . '; path=' . $config['cookie_path'] . $domain . ((!$config['cookie_secure']) ? '' : '; secure') . ';' . (($httponly) ? ' HttpOnly' : '') . '; SameSite=Strict', false);

User avatar
3Di
Registered User
Posts: 951
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano 🇮🇹 Frankfurt 🇩🇪
Contact:

Re: SameSite=None; Secure Cookie Settings

Post by 3Di »

At a first glance that hack is wrongly coded IMO.
Moreover, there will be a bit more to do in case it gets implemented, you could open a ticket and let someone take care of it eventually.
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades

User avatar
SpIdErPiGgY
Registered User
Posts: 7
Joined: Sun May 02, 2021 2:24 pm

Re: SameSite=None; Secure Cookie Settings

Post by SpIdErPiGgY »

phpBB NL Extension translations, also on request.
--> Click Here: phpbbextnl.be <--


Support my translations: https://paypal.me/myarea51secrets

User avatar
P_I
Community Team
Community Team
Posts: 146
Joined: Fri Oct 31, 2014 4:56 am

Re: SameSite=None; Secure Cookie Settings

Post by P_I »

I would broaden the discussion to all things related to security of cookies. https://developer.mozilla.org/en-US/doc ... s#security provides background.

I'm left to wonder why there is even an ACP setting for whether or not a cookie is secure. This seems to cause endless support questions. I opened https://tracker.phpbb.com/browse/PHPBB-17435 for this issue.

To the best of my knowledge neither WordPress nor MediaWiki explicitly require configuration as to whether cookies are secure or not. If the connection is HTTPS they set the cookie as secure. Why can't phpBB do the same?

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 138
Joined: Sun Dec 18, 2005 5:44 pm
Location: Texas
Contact:

Re: SameSite=None; Secure Cookie Settings

Post by Noxwizard »

P_I wrote: Fri Nov 22, 2024 8:51 pm I'm left to wonder why there is even an ACP setting for whether or not a cookie is secure.
This leaves the option to integrate with portions of your site which may not be served over HTTPS. If you notice, on Area51, we don't do automatic HTTP to HTTPS redirection so that we can test both connections. The cookies for this site are not set to secure to allow for that.

We could add an "Automatic" option that we enable by default on new installs and administrators can switch to Yes/No as their situation calls for it.

User avatar
P_I
Community Team
Community Team
Posts: 146
Joined: Fri Oct 31, 2014 4:56 am

Re: SameSite=None; Secure Cookie Settings

Post by P_I »

Noxwizard wrote: Sat Nov 23, 2024 5:10 pm This leaves the option to integrate with portions of your site which may not be served over HTTPS.
Isn't that the exception rather than the rule these days. I would suggest it simplifies and reduces the chances for error/mis-configuration is this type of exception is keep as hidden as possible.
Noxwizard wrote: Sat Nov 23, 2024 5:10 pm We could add an "Automatic" option that we enable by default on new installs and administrators can switch to Yes/No as their situation calls for it.
That would definitely be a step in the right direction. Make it "invisible" or as simple possible for the majority of use cases and sites. "Automatic" could likely extend the whole Cookie settings configuration, let the software determine appropriate cookie parameters. Eliminate potential admin error.

Handle the exceptions if/when they might be needed. Perhaps draw some inspiration from Manual:$wgCookieSecure - MediaWiki and Cookies – Advanced Administration Handbook | Developer.WordPress.org.

Bottom line, as we see from the support topics, minimizing what is required for cookie setup would go a long way towards simplification and reduced support bandwidth.

Post Reply