问题描述
我希望任何人都能给我一些解决我问题的想法.我正在尝试应用SameSite Cookie来使会话正常工作,但似乎不起作用.访问过的网站html:
I hope anybody can give me some ideas to my problem. I am trying to apply SameSite cookie to make session work but it seems it doesn't work. The visited site html:
<iframe src="https://www.example.com/test/iframe.php"></iframe>
iframe源站点:
Iframe source site:
<?php
header('Set-Cookie: cross-site-cookie=PHPSESSID; SameSite=None; Secure');
session_start();
if(!isset($_SESSION['test'])){
echo 1;
$_SESSION['test'] = 'ee2';
}else{
echo $_SESSION['test'];
}
如果我访问该网站,我仍然会收到在https://www.example.com/上设置了与跨站点资源关联的cookie,但没有使用SameSite属性.它已被阻止,因为Chrome现在仅在具有跨站点请求的cookie的情况下(如果将它们设置为SameSite = None和Secure来设置).
在浏览器控制台中不会保存消息,并且不会保存会话.
If I visit the website, I still receive A cookie associated with a cross-site resource at https://www.example.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure.
message in browser console and session is not saved.
奇怪的是,实际上已经设置了cookie:
Strange thing is that the cookie has been actually set:
我错过了什么吗?如果设置了跨站点cookie,为什么在控制台中会收到此消息?会话无法工作的原因可能是什么?我正在使用php 7.1.33.如果我直接打开iframe,它会正常工作,而且如果我使用浏览器打开该网站(在默认情况下未启用Samesite cookie标志进行测试)的情况下,它也可以正常工作.
Am I missing something? Why do I get this message in console if cross-site-cookie is set and what could be reasons for session to not work? I am using php 7.1.33. If I open iframe directly, it works and it also works properly if I open the site with browser where I haven't enabled the SameSite by default cookies flag for testing.
推荐答案
设置会话&Cookies param php: https://www.php.net/manual/zh-CN/function.session-set-cookie-params.php 浏览器: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Set session & cookies param php: https://www.php.net/manual/en/function.session-set-cookie-params.phpBrowser:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
<?php
session_set_cookie_params(["SameSite" => "Strict"]); //none, lax, strict
session_set_cookie_params(["Secure" => "true"]); //false, true
session_set_cookie_params(["HttpOnly" => "true"]); //false, true
session_start(); //everything before this
或php.ini:
[Session]
session.cookie_samesite = "Strict"
session.cookie_secure = 1
session.cookie_httponly = 1
这篇关于PHP SameSite会话问题,会话不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!