Possible cookie issue (FluentLocale)

[tractorcow]

I did encounter this issue in firefox.

Cookie “FluentLocale_CMS” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

[robbieaverill]

It sounds like something we need to update/support in framework. We were speaking earlier today about updating our HTTP support, including cookies etc.

[pine3ree]

@tractorcow @robbieaverill
I had to patch all my SS installations (2.4.x to 4.x) for that (core framework classes Cookie or Cookiejar and Session).
For PHP<7.3 (PHP_VERSION_ID < 70300) you can inject the SameSite attribute (I used a Lax default) into the $path parameter:

$path="{$path}; SameSite=Lax";

when calling setcookie and session_set_cookie_params (this works thanks to a php bug).
But for php version >= 7.3 you must use the newer setcookie signature that allows an array of options (cookie name and value excluded).

[tractorcow]

Great feedback @pine3ree :)

Maybe time to stop supporting 7.2 haha.

[pine3ree]

ref: silverstripe/silverstripe-framework#9920
alt-ref: silverstripe/silverstripe-framework#9842

[tractorcow]

Nice job @pine3ree

[GuySartorelli]

In Silverstripe Framework 4.12.0 all cookies will have a default samesite value of "Lax". This will mean browsers will stop warning about the missing samesite, and gives developers some limited control over what the samesite value is. Refer to silverstripe/silverstripe-framework#10335

Controlling the samesite value for specific cookies won't be available until a future major release of framework, but I don' think that's necessary for this issue to be resolved since it seems to be about the browser warning.