PHP setting a Session-Cookie with samesite

Question

I currently have a PHP script that sets the sametime cookie as follows:

    session_set_cookie_params($cookie_timeout, $cookieParams["path"], $cookie_domain, $session_secure, $cookie_httponly);

I want to add samesite="Lax" to the above statement by adding an extra parameter where ($cookie_samesite="Lax")

    session_set_cookie_params($cookie_timeout, $cookieParams["path"], $cookie_domain, $session_secure, $cookie_httponly, $cookie_samesite);

The new output of the statement would look like

1800, /, ".vasports.com.au", 1, 1, "Lax"

Is this the correct format for the samesite parameter?

NOTE: I do not have a PHP7.3 installed yet. Hence I can't test this properly. And I've referred to PHP doco for "session_set_cookie_params". I have also checked

PHP setcookie "SameSite=Strict"?

Answer 1

Adapted from SilverShadow answer, but fixing the syntax for php <7.3, since session_set_cookie_params() can't take an array as single parameter until preciselly 7.3, instead each parameter needs to be set. and autodetecting php version for the correct option so you can use it even if you later upgrade to 7.3:

// set as your own needs:
$maxlifetime = 0;
$path = '/';
$domain = '';
$secure = false;
$httponly = false;
$samesite = 'lax'; // here is what we need

if(PHP_VERSION_ID < 70300) {
    session_set_cookie_params($maxlifetime, $path.'; samesite='.$samesite, $domain, $secure, $httponly);
} else {
    // note I use `array()` instead of `[]` to allow support of php <5.4
    session_set_cookie_params(array(
        'lifetime' => $maxlifetime,
        'path' => $path,
        'domain' => $domain,
        'secure' => $secure,
        'httponly' => $httponly,
        'samesite' => $samesite
    ));
}

Answer 2

As of PHP 7.3 you can throw an options array into set_cookie_params that supports SameSite.

session_set_cookie_params([
    'lifetime' => $cookie_timeout,
    'path' => '/',
    'domain' => $cookie_domain,
    'secure' => $session_secure,
    'httponly' => $cookie_httponly,
    'samesite' => 'Lax'
]);

On PHP <7.3 you can add the SameSite parameter adding it in the "path" param.

session_set_cookie_params([
    'lifetime' => $cookie_timeout,
    'path' => '/;SameSite=none', // <-- this way!
    'domain' => $cookie_domain,
    'secure' => $session_secure,
    'httponly' => $cookie_httponly,
    'samesite' => 'Lax'
]);

Answer 3

After some further research ...

1. Get current parameters first.
2. Then change the parameters as required, in this case [samesite]="Lax".
3. Set the cookie.

    $cookieParams = session_get_cookie_params();
    $cookieParams[samesite] = "Lax";
    session_set_cookie_params($cookieParams);

Check your 'set-cookie:' header and you should now see the text 'SameSite=Lax' at the end like this.

    set-cookie: ssid=b930bc608a911781f459a4f46b2c513d; expires=Wed, 16-Oct-2019 10:48:49 GMT; Max-Age=1800; path=/; secure; HttpOnly; SameSite=Lax