Thanks for your Fix，But I still get warning from Chrome & Firefox without 'secure'

[mugua]

Hi, Thanks for your Fix，But I still get warning from Chrome & Firefox without 'secure'。 The Chrome warning is below: A cookie associated with a cross-site resource at http://baidu.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032. The Firefox warning is below: 由于 Cookie “PHPSESSID”的“sameSite”属性设置为“none”，但缺少“secure”属性，此 Cookie 未来将被拒绝。若要了解“sameSite“的更多信息，请参阅： (This cookie will be rejected in the future because the 'samesite' property of the cookie 'phpsessid' is set to 'none', but the 'secure' property is missing. To learn more about "samesite," see:) https://developer.mozilla.org/docs/Web/HTTP/Cookies

[HirokazuNishi]

Hi @mugua, could you attach your screenshot?

[mugua]

@HirokazuNishi FYI.

[HirokazuNishi]

@mugua Thanks. Is your website correctly configured to use SSL/TLS?

[mugua]

Yes, it's configured to use SSL/TLS yet.

[mugua]

My Nginx setting is force http to https.

[HirokazuNishi]

Strange. What PHP & Magento version do you use? Also which version of our extension?

[mugua]

Magento 2.3.5-p1, Php 7.3.x and your latest version...

[mugua]

It sames that is the Magento 2.3.5-p1's bug...

[HirokazuNishi]

Of course I tested 2.3.5-p1 with both PHP 7.2/7.3. The extension works fine for my env. Did you test it on vanilla Magento 2.3.5-p1?

[mugua]

Can you show the secure attribute in frontend ? I only can show httponly and samesite=none.

[HirokazuNishi]

My local has both SameSite and Secure flags on frontend. Of course I'm using 2.3.5-p1 and latest.

[mugua]

I found that the magento Marketplace has the same issue. you can have a look at https://marketplace.magento.com Thanks.

[mugua]

It the same as me.

[HirokazuNishi]

It's not Magento's marketplace issue. These cookies weren't set SameSite or Secure attribute by their origin. You can only control your website scope cookie. However I don't know why your environment doesn't work as expected. Did you install other extensions?

[mugua]

yeah, Codazon Infinit theme, wechatpay and alipay extensions and so on...

[HirokazuNishi]

Please test vanilla Magento. Extensions and themes sometimes cause serious conflicts.

[mugua]

OK, I'LL TRY IT...

[mugua]

I run a clean Magento 2.3.5-p1, It is still haven't secure tag...

[mugua]

it seems that 2.4-dev still have this problem... https://github.com/magento/magento2/issues/27879

[niro08]

@mugua, I had the same problem. It looks like you have a different "base_url" and "base_secure_url". As a result false is passed to the setCookieSecure function in vendor/magento/framework/Session/Config.php file (see screenshot)