Hey everyone - any downside to this solution?
Have read various threads on Drupal related to this issue (eg: https://www.drupal.org/forum/support/module-development-and-code-questio...).
Overview:
Moved site from one host to another (PHP 7.4.3, Ubuntu). No changes to code. Website domain remains the same: eg: abc.xyz.com. Issue occurs when navigating directly to IP address or to domain.
- Can login to website using Firefox or Safari or Mobile Browser on iPhone
- Cannot login on Chrome or Edge
- Error in Chrome: goto -> Developer Tools -> Applications ->Cookies: "Mark cross-site cookies as Secure to allow setting them in cross-site contexts"
Tried:
1) Clearing browser cache
2) Checked time on server and time on browser (multiple PC's can't login)
3) Clearing all _cache tables on db
4) Clearing sessions table in DB. Confirming that login timestamp in sessions table matches browser/PC time and server time.
5) Updating settings.php to include 'Secure':
if (strpos($_SERVER['HTTP_USER_AGENT'], 'Chrome') !== false
|| strpos($_SERVER['HTTP_USER_AGENT'], 'CriOS') !== false) {
ini_set('session.cookie_path', '/; samesite=None; Secure;');
}This removed the error: in chrome "Mark cross-site cookies as Secure to allow setting them in cross-site contexts" however still could not login to website in Chrome or Edge.
6) Solution: changed samesite=Lax in settings.php
if (strpos($_SERVER['HTTP_USER_AGENT'], 'Chrome') !== false
|| strpos($_SERVER['HTTP_USER_AGENT'], 'CriOS') !== false) {
ini_set('session.cookie_path', '/; samesite=Lax;');
}Any downside to this solution?
Comments
Probably OK. I would have
Probably OK. I would have been inclinedto set it on the server, in a php.ini file.
(source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/Sam...)
Digit Professionals specialising in Drupal, WordPress & CiviCRM support for publishers in non-profit and related sectors