How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?

I have 4 computers, I also use my mobile device to test checkout. Samsung Galaxy A70

No problems occurred in all processes, Do you think it is caused by other cookie files that I use?

For example, using Facebook or Google cookie files?

I would doubt it. They will only be used by Facebook or Google, I can't see that your payment extension would use them. You could always try disabling them.

Solution:

en:
https://medium.com/@ayhankesicioglu/ope ... 162a390c11
tr:
http://www.ayhankesicioglu.com/2020/09/ ... ozumu.html

A few issues with your solution.

In system/library/session.php your session_set_cookie_params has the domain hardcoded. You should not set the domain at all or a the very least use ini_get('session.cookie_domain').

config/phpmailer/get_oauth_token.php is not part of OpenCart.

You are setting httponly of the language, tracking and currency cookies for PPH 7.3+ where this was not set before. Just be aware there could be rare cases where an extension or theme accesses them via JavaScript.

You might also want to mention most sites won't be affected, only sites where a payment gateway returns with a POST. Making the changes necessarily would lose the the security benefits.

Also the changes will be completely different for OpenCart 3.x and 1.

HAO wrote: ↑

Fri Aug 14, 2020 12:34 am

Open
system/library/session.php

Find

Code: Select all

			setcookie($key, $this->session_id, ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'), ini_get('session.cookie_secure'), ini_get('session.cookie_httponly'));

Replace

Code: Select all

			setcookie($key, $this->session_id, ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => ini_get('session.cookie_httponly')]);

Find

Code: Select all

		setcookie($key, '', time() - 42000, ini_get('session.cookie_path'), ini_get('session.cookie_domain'));

Replace

Code: Select all

		setcookie($key, '', ['expires' => time() - 42000, 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true]);

I could not find this code in system/library/session.php for Opencart 3.0.2 Default theme....Is there another file it should be placed in?

fegdeed wrote: ↑

Tue Jan 12, 2021 2:27 pm

I could not find this code in system/library/session.php for Opencart 3.0.2 Default theme....Is there another file it should be placed in?

For OpenCart 3.0.x and PHP 7.3 try.
viewtopic.php?f=202&t=219633#p797082

ADD Creative wrote: ↑

Tue Jan 12, 2021 8:37 pm

fegdeed wrote: ↑

Tue Jan 12, 2021 2:27 pm

I could not find this code in system/library/session.php for Opencart 3.0.2 Default theme....Is there another file it should be placed in?

For OpenCart 3.0.x and PHP 7.3 try.
viewtopic.php?f=202&t=219633#p797082

Thank you @ADD Creative, I tried that but only OCSESSID cookies shows secure, both language and currency cookies show Same-site connections only.

Did you try the changes in linked post at the bottom? viewtopic.php?f=190&t=216579&start=20#p796020 Just ignore the session setcookie $key cookie changes and do the language and currency ones.

ADD Creative wrote: ↑

Tue Jan 12, 2021 10:26 pm

Did you try the changes in linked post at the bottom? viewtopic.php?f=190&t=216579&start=20#p796020 Just ignore the session setcookie $key cookie changes and do the language and currency ones.

Yes @ADD Creative, thank you...it looks like it was cached in the browser lol...
Everything is showing secure now .