DEV Community

loading...

Discussion on: Dealing with Chrome SameSite cookie attribute in Shopify Apps made with PHP/Laravel

Collapse
rowan_m profile image
Rowan Merewood

Nice article! For the benefit of anyone reading who didn't take your advice and fully understand the issues first ;) Please, please, please remember you ONLY need SameSite=None; Secure for cookies that are sent in cross-site / third-party contexts. So, that means these embedded apps or services. Cookies for first-party use, i.e. the domain in the browser matches the domain of the cookie, then consider SameSite=Lax or SameSite=Strict instead. Do not just blindly add SameSite=None; Secure to every single cookie.

Collapse
jasperf profile image
Jasper Frumau

So for the Laravel session and XSRF Token cookies we should use SameSite="Strict at config/session.php? How would we implement this and only have this apply for these two cookies I am now getting warnings for?

cookie `host-name_staging_session` will be soon rejected because it has
 the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read
 https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite 1748
Collapse
rowan_m profile image
Rowan Merewood

I'd suggest Lax for your session cookie, not Strict.