How to fix “set SameSite cookie to none” warning?

Question 1

I created a chrome extension and from popup.js I called PHP script (Using Xhttprequest) that reads the cookie. Like this:

$cookie_name = "mycookie";

if(isset($_COOKIE[$cookie_name]))
{
    echo $_COOKIE[$cookie_name];
}
else{
    echo "nocookie";
}

But I'm getting this warning at errors in extensions.

A cookie associated with a cross-site resource at (Here is my domain) was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I tried to create a cookie like this but it didn't help.

setcookie($cookie_name,$cookie_value, time() + 3600*24, "/;samesite=None ","mydomain.com", 1);

Following instructions from this question.

Question 2

I'm also in a "trial and error" for that, but this answer from Google Chrome Labs' Github helped me a little. I defined it into my main file and it worked - well, for only one third-party domain. Still making tests, but I'm eager to update this answer with a better solution :)

EDIT: I'm using PHP 7.4 now, and this syntax is working good (Sept 2020):

$cookie_options = array(
  'expires' => time() + 60*60*24*30,
  'path' => '/',
  'domain' => '.domain.com', // leading dot for compatibility or use subdomain
  'secure' => true, // or false
  'httponly' => false, // or false
  'samesite' => 'None' // None || Lax || Strict
);

setcookie('cors-cookie', 'my-site-cookie', $cookie_options);

If you have PHP 7.2 or lower (as Robert's answered below):

setcookie('key', 'value', time()+(7*24*3600), "/; SameSite=None; Secure");

If your host is already updated to PHP 7.3, you can use (thanks to Mahn's comment):

setcookie('cookieName', 'cookieValue', [
  'expires' => time()+(7*24*3600,
  'path' => '/',
  'domain' => 'domain.com',
  'samesite' => 'None',
  'secure' => true,
  'httponly' => true
]);

Another thing you can try to check the cookies, is to enable the flag below, which—in their own words—"will add console warning messages for every single cookie potentially affected by this change":

chrome://flags/#cookie-deprecation-messages

See the whole code at: https://github.com/GoogleChromeLabs/samesite-examples/blob/master/php.md, they have the code for same-site-cookies too.

Question 3

Try using setcookie with a a path specified, this used to catch me out, as it assumes the current path by default. Using / will make the cookie work for the whole domain

setcookie("Username", $username, time()+3600*24*30, '/');

Question 4

<?php
$cookie_name = "test";
$cookie_value = "123";
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); // 86400 = 1 day
?>

You need to write your php code like this

You can use this script If u can want particular cookie

<script>
function getCookie(cname) {
    var name = cname + "=";
    var ca = document.cookie.split(';');
    for(var i=0; i<ca.length; i++) {
        var c = ca[i];
        while (c.charAt(0)==' ') c = c.substring(1);
        if (c.indexOf(name) == 0) return c.substring(name.length,c.length);
    }
    return "";
}

console.log(getCookie('test'));
<script>

Question 5

For 1 minute, you can use:

var date = new Date();
date.setTime(date.getTime() + (60 * 1000));
$.cookie('username', username, { expires: date });  // expires after 1 minute

For 30 seconds, you can use:

var date = new Date();
date.setTime(date.getTime() + (30 * 1000));
$.cookie('username', username, { expires: date });  // expires after 30 second

Question 6

The advice from How to suppress "WARNING: This key is not certified with a trusted signature!" does not remove the warning in my case:

Technically, you didn't implement the advice. You can see in your output that the command didn't do anything because it was unable to find a private keypair – so nothing got signed even though the command was run:

gpg: no default secret key: Kein geheimer Schlüssel
gpg: no default secret key: No secret key 
Key has not been changed,

--lsign-key and similar signing commands use your private keypair to sign things, so they will only work once you have imported or generated one.

Until that's done, just manually compare the signer fingerprint from --verify with the one you got from the website. If the fingerprints match, the warning can be safely ignored.

Side-note: I have seen that one of the signature validation points is not fulfilled. Could that be the reason? It says that the certificate is valid till Saturday, 30. April 2022 17:54:41, but the Gpg4win website lets you check the code signing certificate to be valid not after 16:54:41 of that day.

You're in a different timezone. Windows shows you the timestamp in local time, but certificate validity is always stored as UTC time, so it always becomes invalid at exactly the same moment (16:54:41 UTC) no matter where you are around the world.

Side note: Authenticode signatures are timestamped (unlike PGP signatures), so once a file has been signed it'll remain valid even after the certificate expires.

How to fix “set SameSite cookie to none” warning?

Answers

php,cookies