Samesite and secure cookies

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
User avatar
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 151
Joined: Fri Jan 19, 2007 10:32 pm

Samesite and secure cookies

Post by fatica » Thu Jul 29, 2021 6:22 pm


We have a use case where we have Joomla 3.9.26 running on PHP 7.2. We are displaying the Joomla front-end login in an IFRAME and we can see that session cookies are not set anymore due to Chrome's updated treatment of non-secure cookies that don't explicitly set the "Samesite" header component.

I discovered that this value of JConfig::cookie_path allows us to inject the SameSite=none and secure attributes

public $cookie_path = '/; SameSite=None; Secure';

This is a hack of PHP's "setcookie" function, which somewhat blindly incorporates the path and allows us to inject the proper Set-cookie header

This will likely not work with 7.3.

Reference: ... ent-549181

Just posting here in case this helps anyone out. We thought for a bit that we would have to wait until all servers were upgraded and this fix helps us out in the very short term.


Post Reply

Return to “Security in Joomla! 3.x”