CODEWITHSUNDEEP
symfonysessioncookiessamesite
Filip Kaszczyński
Filip Kaszczyński

Reputation: 149

Symfony Iframe Logging Problem On Chrome With SameSite Cookies

I have A site and B site. Both on HTTPS, both on different domains. A site runs Symfony where I prepared a login page which I include via iframe on page B. The logging process works correctly on any major browser except of Chrome with enabled flag #same-site-by-default-cookies (chrome://flags/#same-site-by-default-cookies). If I disable this flag on Chrome it works correctly as well.

Does anyone know what can I do to fix it? I probably need to set SameSite flag inside the Cookie to "None", but I have no idea which cookie it concerns and where to change it.

I am using:

My confings: framework.yaml

framework:
secret: '%env(APP_SECRET)%'
translator: { fallbacks: [pl] }
form: { enabled: true }
validation: { enable_annotations: true }
default_locale: '%locale%'
csrf_protection: true

# Enables session support. Note that the session will ONLY be started if you read or write from it.
# Remove or comment this section to explicitly disable session support.
session:
    handler_id: Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler

#esi: true
fragments: ~
http_method_override: true
php_errors:
    log: true

security.yaml

providers:
    fos_userbundle:
        id: fos_user.user_provider.username

firewalls:
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false
    main:
        switch_user:            true
        pattern: ^/
        context:            user
        remember_me:
            #key:      "%secret%"
            secret: "%secret%"
            lifetime: 31536000 # 365 days in seconds
            path:     /
            domain:   ~ # Defaults to the current domain from $_SERVER
            token_provider: Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider
        form_login:
            provider: fos_userbundle
            # csrf_token_generator: security.csrf.token_manager
            # if you are using Symfony < 2.8, use the following config instead:
            # csrf_provider: form.csrf_provider
            always_use_default_target_path: true
            default_target_path: /after-login
            success_handler: authentication_handler
            failure_handler: authentication_handler
        oauth:
            resource_owners:
                facebook:           "/loginSocial/check-facebook"
                google:             "/loginSocial/check-google"
            login_path:        /loginSocial
            use_forward:       false
            failure_path:      /loginSocial
            oauth_user_provider:
                service: fm_user_provider
            always_use_default_target_path: true
            default_target_path: /after-login
        logout:
            target: fmUserAfterLogout
            success_handler: logout_handler
        anonymous:    true

Upvotes: 1

Views: 2144

Answers (1)

F00x
F00x

Reputation: 124

framework.yaml

add option "cookie_samesite"

session:
    cookie_samesite: none

Symfony Doc

Upvotes: 3

Related Questions