search

Veriteworks / CookieFix

Fix Magento2.2/2.3/2.4 Cookie SameSite attribute
Academic Free License v3.0
65 stars 35 forks source link

Unsecure cookie fix #36

Closed Lemongrabb closed 2 months ago

Lemongrabb commented 2 months ago

\Magento\Framework\Session\Config::setCookieSameSite 

public function setCookieSameSite(string $cookieSameSite = 'Lax'): ConfigInterface
{
    $validator = $this->_validatorFactory->create(
        [],
        CookieSameSiteValidator::class
    );
    if (!$validator->isValid($cookieSameSite) ||
        **!$this->getCookieSecure() && strtolower($cookieSameSite) === 'none'**) {
        throw new \InvalidArgumentException(
            'Invalid Samesite attribute.'
        );
    }
    $this->setOption('session.cookie_samesite', $cookieSameSite);
    return $this;
}

You can't make samesite None if cookie is unsecure

HirokazuNishi commented 2 months ago

@Lemongrabb Thanks!