This looks good from the commit. I will test this later.

In app/code/core/Mage/Core/Model/Cookie.php there is a delete method that that uses setcookie. Should we use the same procedure as the set method? (i.e. check for PHP version and pass the samesite parameter if applicable).

This looks good from the commit. I will test this later.

In app/code/core/Mage/Core/Model/Cookie.php there is a delete method that that uses setcookie. Should we use the same procedure as the set method? (i.e. check for PHP version and pass the samesite parameter if applicable).

For consistency one could say it would also be nice to have the same code in the "public function delete()", although the presence here isn't as critical as in the "public function renew()". If I can find some time today I will try and make this more complete.

Another upgrade that would be great is the ability to specify a different policy for the backend and the frontend. Perhaps this is mostly useful for the session cookie. For example I would configure the backend to have Strict and for the frontend Lax or None.

Hello,

I reviewed the code and I wonder if we did have to force $secure to true if same site is None because of the specification : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#SameSiteNone_requires_Secure

This looks good from the commit. I will test this later.

In app/code/core/Mage/Core/Model/Cookie.php there is a delete method that that uses setcookie. Should we use the same procedure as the set method? (i.e. check for PHP version and pass the samesite parameter if applicable).

I have made some changes. The delete function now re-uses the "set function", only with forced "null" values for cookie value and period. (Same way the renew function was already implemented).

Hello,

I reviewed the code and I wonder if we did have to force $secure to true if same site is None because of the specification : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#SameSiteNone_requires_Secure

I have reviewed the specifications you have linked and you are indeed correct. I have made the required changes to make sure the secure flag is enforced of the SameSite is set to None.

sorry, had no time to review this yet, but I saw M2 did release something related. Did someone already have a look at what they did?

Any update guys?

@kdckrs We finally were able to test this PR in our development environment and it worked as expected. We will deploy into production next week and report back.

Feedback about experience.

We used your solution in production on our website since almost 2 months.
It seems to work as expected.

Thx for it.

@Flyingmana I saw there was a new release without this PR, any chance it will be included in the next one? We have been using this in a production environment for a while now and everything seems to be working correctly. (Others have mentioned this too, see previous comments)

lets see, comments from @kkrieger85 and @nimajneb-torram are resolved.
@rvelhote and @nimajneb-torram have tested it.
Should be fine, so I will merge it for the next release.

The code looks good but the current behavior (no SameSite flag) is equivalent to "Lax" but the PR makes "None" the default. This has the effect of actually reducing security and also potentially breaking non-https sites (although these really shouldn't remain anyway). I propose making Lax the default.

Unit Test Results

1 files  1 suites   0s ⏱️
0 tests 0 ✔️ 0 💤 0 ❌
2 runs  2 ✔️ 0 💤 0 ❌

Results for commit 26b9eee.

In the backend, on General > Web, Magento's autoloader attempts to load Mage_Adminhtml_Model_System_Config_Source_Cookie_Samesite , while the class file is named "SameSite.php" (with an upper "Site" in it). The file is not auto-loaded on case sensitive filesystems, and causes wild errors.
I'd recommend to rename the file (and class) Unix-friendly to "Samesite.php".

*Edit: Not sure if that's worth a bug report, just shout if so.

@ansgarbecker you are right! Fixing!

Edit: PR #1390 has been created for this ;)