[wp-trac] [WordPress Trac] #37000: Support for the SameSite cookie attribute

WordPress Trac noreply at wordpress.org
Sun Apr 5 05:43:17 UTC 2020 

#37000: Support for the SameSite cookie attribute
-------------------------------------------------+-------------------------
 Reporter:  johnbillion                          |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Security                             |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch dev-feedback needs-        |     Focuses:
  refresh needs-dev-note                         |  administration
-------------------------------------------------+-------------------------

Comment (by mikhailroot):

 The thing is that PHP only since 7.3 has ability to set SameSite, so first
 check which PHP version you are using. Chrome defaults to `SameSite=Lax`
 if it's not set. I've decided to add this filter because I consider it's
 better to give other developers more control of this setting if it gets
 set explicitly.
 I personally have tested it with WordPress+Shopify sites which are on
 subdomains like wp.example.com - running WordPress and example.com -
 hosted by Shopify, and another site is example2.com running WP and
 shopify.example2.com - running shopify. All works smooth with
 `SameSite=None` - I needed to allow access to WordPress authenticated
 admin side to be used inside Shopify's App Iframe, without SameSite=None
 it would get blocked in Chrome. I consider if you have php 7.3+ and you've
 applied patch I've proposed it should work for you.

 Replying to [comment:22 adam320]:
 > Will the addition of the wp_auth_cookie_same_site filter solve the issue
 I am having with multisite domain mapping? Chrome no longer logs you into
 the front end of a subdomain network because of the SameSite issue. What
 is odd is that in firefox, the cookies currently are set flagged as
 SameSite=None; Secure, but in chrome they show as blocked and the flags
 are not set.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/37000#comment:23>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list