Codeigniter 3 SameSite attribute for csrf protection
Solution 1
I had this same problem but my PHP 7.2 and my CI 3.X. The problem was solved by making the following change to the applications / config / config.php file
$config['cookie_prefix'] = '';
$config['cookie_domain'] = '';
$config['cookie_path'] = '/; SameSite=None';
$config['cookie_secure'] = TRUE;
$config['cookie_httponly'] = FALSE;
Solution 2
Never modify the files in the SYSTEM directory, because you may have problems updating the codeigniter. It is better that, in APPLICATION/CORE
, you create a file called MY_Security.php
and extend the Security controller.
Example:
<?php defined('BASEPATH') OR exit('No direct script access allowed');
class MY_Security extends CI_Security {
/**
* CSRF Set Cookie with samesite
*
* @codeCoverageIgnore
* @return CI_Security
*/
public function csrf_set_cookie()
{
$expire = time() + $this->_csrf_expire;
$secure_cookie = (bool) config_item('cookie_secure');
if ($secure_cookie && ! is_https())
{
return FALSE;
}
setcookie($this->_csrf_cookie_name,
$this->_csrf_hash,
['samesite' => 'Strict',
'secure' => true,
'expires' => $expire,
'path' => config_item('cookie_path'),
'domain' => config_item('cookie_domain'),
'httponly' => config_item('cookie_httponly')]);
log_message('info', 'CSRF cookie sent');
return $this;
}
}
Solution 3
There is an official issue on CI for this issue, check this : https://github.com/bcit-ci/CodeIgniter/issues/5791
Note that this fix needs PHP 7.3
Solution 4
Problem is solved
1.ADD this config at application/config/config.php for all cookie in framework
ini_set('session.cookie_samesite', 'None');
ini_set('session.cookie_secure', TRUE);
2.Edit this line at system/core/Security.php line ~273 replace from
setcookie(
$this->_csrf_cookie_name,
$this->_csrf_hash,
$expire,
config_item('cookie_path'),
config_item('cookie_domain'),
$secure_cookie,
config_item('cookie_httponly')
);
to
setcookie($this->_csrf_cookie_name, $this->_csrf_hash, ['samesite' => 'None', 'secure' => true,'expires' => $expire, 'path' => config_item('cookie_path'), 'domain' => config_item('cookie_domain'), 'httponly' => config_item('cookie_httponly')]);
for csrf support SameSite attribute.
Related videos on Youtube
Panup Pong
I am a front and back-end web developer with a passion for open source technologies such as Wordpress, Opencart and SEO. I have been a PHP developer for many years, and also have experience with Java Spring Boot, ReactJS and nextJS. Currently I being obsessed with SEO advanced algorithm
Updated on June 04, 2022Comments
-
Panup Pong over 1 year
I have applications that make CORS calls to each other. Google in April 2020 will need SameSite cookies = none. https://www.chromestatus.com/feature/5633521622188032
Since chrome version 80+ all user that use chrome browser impact this csrf error. how to fix this problem on Codeigniter framework that using PHP 7.3
-
Aggarat .J over 3 yearsNot working on all browsers and versions they will have different behaviors. it is not the final solution: setcookie('same-site-cookie', 'foo', ['samesite' => 'Lax']); setcookie('cross-site-cookie', 'bar', ['samesite' => 'None', 'secure' => true]); For earlier versions of PHP, you can also set the header() directly: header('Set-Cookie: same-site-cookie=foo; SameSite=Lax'); header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure');
-
desertnaut over 3 yearsWelcome to SO; for the next time, please take a minute to see how to properly format your code (done it for you now).
-
pbarney over 3 yearsjust a warning, that technique won't work in PHP 7.3 because it will begin escaping the semicolon in the cookie path. Might want to look at stackoverflow.com/a/46971326/62536
-
Irodoku over 3 yearsThis solved my problem, the marked as solution does not work with php 7.2
-
Syed Naeem Tariq over 2 yearsThis is useless $config['cookie_path'] = '/; SameSite=None'; but this line work for me $config['cookie_secure'] = TRUE;