Cookie “PHPSESSID” will be soon treated as cross-site cookie against <file> because the scheme does not match

cookies assets url-scheme cross-site websecurity
35,453

Solution 1

that was exactly same happening with me. the issue was that, firefox keeps me showing even Cookies of different websites hosted on same URL : "localhost:Port number" stored inside browser memory.

In my case, i have two projects configured to run at http://localhost:62601, when i run first project, it saves that cookie in browser memory. when i run second project having same URL, Cookie is available inside that projects console also.

what you can do, is delete the all of the cookies from browser.

Solution 2

@Paramjot Singh's answer is correct and got me most of the way to where I needed to be. I also wasted a lot of time staring at those warnings.

But to clarify a little, you don't have to delete ALL of your cookies to resolve this. In Firefox, you can delete individual site cookies, which will keep your settings on other sites.

To do so, click the hamburger menu in the top right, then, Options->Privacy & Security or Settings->Privacy & Security

From here, scroll down about half-way and find Cookies and Site Data. Don't click Clear Data. Instead, click Manage Data. Then, search for the site you are having the notices on, highlight it, and Remove Selected

Simple, I know, but I made the mistake of clearing everything the first time - maybe this will prevent someone from doing same.

Solution 3

The warning is given because, according to MDN web docs:

Standards related to the Cookie SameSite attribute recently changed such that:

The cookie-sending behaviour if SameSite is not specified is SameSite=Lax. Previously the default was that cookies were sent for all requests. Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS).

Which indicates that a secure context/HTTPS is required in order to allow cross site cookies by setting SameSite=None Secure for the cookie.

According to Mozilla, you should explicitly communicate the intended SameSite policy for your cookie (rather than relying on browsers to apply SameSite=Lax automatically), otherwise you might get a warning like this:

Cookie “myCookie” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute.

The suggestion to simply delete localhost cookies is not actually solving the problem. The solution is to properly set the SameSite attribute of cookies being set by the server and use HTTPS if needed.

Firefox is not the only browser making these changes. Apparently the version of Chrome I am using (84.0.4147.125) has already implemented the changes as I got this message in the console: enter image description here

The previously mentioned MDN article and this article by Mike Conca have great information about changes to SameSite cookie behavior.

Solution 4

Guess you are using WAMP or LAMP etc. The first thing you need to do is enable ssl on WAMP as you will find many references saying you need to adjust the cookie settings to SameSite=None; Secure That entails your local connection being secure. There are instructions on this link https://articlebin.michaelmilette.com/how-to-add-ssl-https-to-wampserver/ as well as some YouTube vids. The important thing to note is that when creating the SSL certificate you should use sha256 encoding as sha1 is now deprecated and will throw another warning. There is a good explanation of SameSite cookies on https://web.dev/samesite-cookies-explained/ I was struggling with the same issue and solved it by making sure the Apache 2.4 headers module was enabled and than added one line of code

Header always edit Set-Cookie ^(.")$ $1;HttpOnly;Secure

I wasted lots of time staring at the same sets of warnings in the Inspector until it dawned on me that the cookies were persisting and needed purging.

Apparently Chrome was going to introduce the new rules by now but Covid-19 meant a lot of websites might have been broken while people worked from home. The major browsers are working together on the SameSite attribute this so it will be in force soon.

Share:
35,453

Related videos on Youtube

Digital Ninja
Author by

Digital Ninja

Updated on September 14, 2021

Comments

  • Digital Ninja
    Digital Ninja over 2 years

    I've just noticed my console is littered with this warning, appearing for every single linked resource. This includes all referenced CSS files, javascript files, SVG images, and even URLs from ajax calls (which respond in JSON). But not images.

    The warning, for example in case of a style.css file, will say:

    Cookie “PHPSESSID” will be soon treated as cross-site cookie against “http://localhost/style.css” because the scheme does not match.

    But, the scheme doesn't match what? The document? Because that it does.

    • The URL of my site is http://localhost/.
    • The site and its resources are all on http (no https on localhost)
    • The domain name is definitely not different because everything is referenced relative to the domain name (meaning the filepaths start with a slash href="/style.css")

    The Network inspector just reports a green 200 OK response, showing everything as normal.

    It's only Mozilla Firefox that is complaining about this. Chromium seems to not be concerned by anything. I don't have any browser add-ons. The warnings seem to originate from the browser, and each warning links to view the corresponding file source in Debugger.

    Why is this appearing?

    • Elmar Zander
      Elmar Zander over 3 years
      tl;dr In Firefox, go to settings, search for cookies, click Manage Data, search for localhost, select localhost, click Remove Selected... Worked for me...
    • blissini
      blissini over 3 years
      in addidtion you can follow these easy steps in Firefox: support.mozilla.org/en-US/kb/…
  • Aufgeschissener Kunde
    Aufgeschissener Kunde over 3 years
    I run several development projects from VirtualBox, accessed on the same IP address but via domains defined in my hosts file. Deleting cookies seems to have made the message go away.
  • drugan
    drugan over 2 years
    You can also go to Development Tools -> Storage and select line for the "localhost" domain and "/" path and then right click it and delete the selected cookie.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Setting cross-domain cookies in Safari
Assets in Flutter package are not visible in the app
flutter : Passing assetpath as a string and load asset value
Flutter: How to Read Text Files from asset and show it to container
Blue Circle is displayed in CircleAvatar Asset image instead of real image in flutter
How to access asset file in pure dart package?
Flutter unable to load text from assets
How to persist a cookie in Dart?
Flutter Dart: can't load SVG assets: Unable to load asset iconPath
flutter web app deployed on github.pages cannot access SOME assets