Session handler and samesite cookies.

[pixelone]

Hello,

Appreciate your hard work on this library.

Do you have any suggestion on how this can be used with Samesite cookies set as Strict?

I found that in our Session implementation with Laravel, when cookies are stored as LAX it will Authorize fine, however when Samesite Cookies are set as Strict, I get an Unauthorized response back. I assume because of the offsite transfer the session is lost.

Is there any other suggestion on how to still use this Library with Samesite cookies set as strict or an alternative way of handling this from within the session handler?

Again, your work and time on this is greatly appreciated, hoping some simple way around this.

[phpfui]

I don't seem to have a problem on my sites, but not using Laravel. This is how I set cookies:

    public function set(string $name, string $value = '', bool $permanent = false) : static
        {
        $permanent ? \time() + 32_000_000 : 0; // expires in about a year if permanent
        $options = [
            'expires' => $permanent ? \time() + 32_000_000 : 0, // expires in about a year if permanent
            'path' => '/',
            'domain' => $_SERVER['SERVER_NAME'],
            'secure' => true,
            'httponly' => true,
            'samesite' => 'Strict',
        ];
        \setcookie($this->prefix . $name, $value, $options);

        return $this;
        }

You might want to check the Constant Contact API docs to see what they say about cookies. Let me know what you figure out.

[pixelone]

I think the problem presents itself on the initial redirect to authenticate and get the first access_token and redirect_token.

For example: Once the user is redirected to constant contact (the first time) to login and validate, (header('location: ' . $client->getAuthorizationURL());), the session is then lost on the return back to the redirect_url.

Once redirected back from Constant Contact we can typically grab the access_token and refresh_token and save them, however by having cookies with samesite set as strict the below values are empty.

$client->acquireAccessToken($_GET);
echo $client->accessToken; 
echo $client->refreshToken;

Setting the cookie to LAX corrects the problem, but really need to keep them as strict.

I will see what I can find, appreciate the help.

[phpfui]

I would suspect a Laravel issue. I do the initial authorization in the normal UI, but the real work is done as a cron job.

On Sun, Feb 5, 2023, 4:31 PM pixelone @.***> wrote:

I think the problem presents itself on the initial redirect to authenticate and get the first access_token and redirect_token.

For example: Once the user is redirected to constant contact (the first time) to login and validate, (header('location: ' . $client->getAuthorizationURL());), the session is then lost on the return back to the redirect_url.

Once redirected back from Constant Contact we can typically grab the access_token and refresh_token and save them, however by having cookies with samesite set as strict the below values are empty.

$client->acquireAccessToken($_GET); echo $client->accessToken; echo $client->refreshToken;

Setting the cookie to LAX corrects the problem, but really need to keep them as strict.

I will see what I can find, appreciate the help.

— Reply to this email directly, view it on GitHub https://github.com/phpfui/ConstantContact/issues/14#issuecomment-1418270438, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABYW6S37N6OEPYYH7MBBJELWWAL4RANCNFSM6AAAAAAUR5ENKA . You are receiving this because you commented.Message ID: @.***>

[pixelone]

I will look into it. Thanks for the help.