Post by HAO » Wed Aug 19, 2020 11:05 am

I have a OpenCart 3.0.2.0 stores, I know that Chrome 80 SameSite issues need to be fixed, I also saw this post:
https://github.com/opencart/opencart/issues/7946

But I still don’t understand how my version can solve this problem, Can someone tell me how to modify the file?

Thank you!
Last edited by HAO on Fri Dec 11, 2020 4:16 pm, edited 1 time in total.

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by Rizki saputra » Wed Aug 19, 2020 3:35 pm

I have the same problem, I want to know the right answer :P

O0 O0



Posts

Joined
Wed Aug 19, 2020 2:57 pm


Post by letxobnav » Wed Aug 19, 2020 3:47 pm

all that topic does is provide a function which produces a cookie covering the different ways the php setcookie function can be used in php versions below 7.3 and above.
It does not solve anything stated in the topic.

session cookies are set in catalog/controller/startup/session.php and system/framework.php
why twice? god only knows.

catalog/controller/startup/session.php

Code: Select all

setcookie($this->config->get('session_name'), $this->session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));
you could change that to:

Code: Select all

setcookie($this->config->get('session_name'), $this->session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path').'; SameSite=strict', ini_get('session.cookie_domain'),true,true);
system/framework.php

Code: Select all

setcookie($config->get('session_name'), $session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));
you could change that to:

Code: Select all

setcookie($config->get('session_name'), $session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path').'; SameSite=strict', ini_get('session.cookie_domain'),true,true);
But as far as I know, if you set your cookies secure, samesite is not an issue.

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.


User avatar
Expert Member

Posts

Joined
Fri Aug 18, 2017 4:35 pm
Location - Taiwan

Post by ADD Creative » Wed Aug 19, 2020 6:54 pm

A bit of a warning about setting SameSite=Strict. This will stop some payment modules from working. Even the new default of SameSite=Lax breaks a few.
HAO wrote:
Wed Aug 19, 2020 11:05 am
I have a OpenCart 3.0.2.0 stores, I know that Chrome 80 SameSite issues need to be fixed, I also saw this post:
https://github.com/opencart/opencart/issues/7946

But I still don’t understand how my version can solve this problem, Can someone tell me how to modify the file?

Thank you!
Rizki saputra wrote:
Wed Aug 19, 2020 3:35 pm
I have the same problem, I want to know the right answer :P
What is the exact problem you have and what PHP version are you using?

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by letxobnav » Wed Aug 19, 2020 7:54 pm

yes, I'm not sure what the requirements are but as far as I can tell, if you set secure, you can also just use samesite none or blank.
personally I would just set them secure and leave the rest as is for now.

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.


User avatar
Expert Member

Posts

Joined
Fri Aug 18, 2017 4:35 pm
Location - Taiwan

Post by ADD Creative » Thu Aug 20, 2020 12:47 am

If you need the old cookie behaviour with no restrictions, you need to explicitly set SameSite attribute to None as well as setting the Secure attribute. Blank or no SameSite attribute will default to SameSite =Lax in new browsers the follow the new rules.

This should only be necessary for payment gateways (or other third-party services) that POST back to the store and except the session the be active.

letxobnav wrote:
Wed Aug 19, 2020 3:47 pm
session cookies are set in catalog/controller/startup/session.php and system/framework.php
why twice? god only knows.
I believe the duplicate setting of the cookie was fixed in 3.0.3.2.
https://github.com/opencart/opencart/co ... a80d2828b1

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by ADD Creative » Sat Aug 22, 2020 9:59 pm

For OpenCart 3 with the need for the old cookie behaviour.
viewtopic.php?f=202&t=219633#p797082

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by HAO » Fri Dec 11, 2020 4:15 pm

Ok!
I have a new situation, I am installing an OpenCart 3.0.3.2 system, How can I solve this problem based on this version?

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by ADD Creative » Fri Dec 11, 2020 8:32 pm

What version of PHP?

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by HAO » Fri Dec 11, 2020 9:50 pm

php 7.3, Because Journal 3 does not support php 7.4, I remember the discussion half a year ago, Daniel seemed to have some solutions in mind, What should I do?

HAO
Active Member

Posts

Joined
Fri Jun 03, 2011 2:52 pm

Post by ADD Creative » Fri Dec 11, 2020 9:58 pm

HAO wrote:
Fri Dec 11, 2020 9:50 pm
php 7.3, Because Journal 3 does not support php 7.4, I remember the discussion half a year ago, Daniel seemed to have some solutions in mind, What should I do?
Try the changes in this post.
viewtopic.php?f=202&t=219633#p797082

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by webdesires » Tue Dec 15, 2020 12:11 pm

We have released a plugin that handles all this for you - Secure Cookies & Sessions (with Strict, Lax, None samesite)

Regards, WebDesires.
We are a team of developers in the UK - professional and friendly, message us or give us a call anytime and we will be happy to help.

Phone: +44 (0) 121 318 6336 - Web: webdesires.co.uk - Skype: WebDesires
OpenCart Support - OpenCart Web Development - Our OpenCart Plugins


User avatar
Active Member

Posts

Joined
Mon Sep 28, 2015 6:34 pm
Location - West Midlands, United Kingdom

Post by jvandemerwe » Tue Dec 22, 2020 12:19 am

I have solved this with a VQMod modification. I am using Opencart 3.0.2.6 and PHP 7.3

Code: Select all

<?xml version="1.0" ?>

<modification>
    <id>Framework and catalog session samesite cookie</id>
    <vqmver>2.5.0</vqmver>
    <version>1.0</version>
    <author>J.J. van de Merwe</author>

    <file name="system/framework.php" error="log">
        <operation>
            <search position="replace">
                <![CDATA[
    setcookie($config->get('session_name'), $session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));
                ]]>
            </search>
            <add action="after">
                <![CDATA[
    // ### Modified code: your-filename.xml ###             
    setcookie(
        $config->get('session_name'),
        $session->getId(),
        [
            'expires'  => ini_get('session.cookie_lifetime'),
            'path'     => ini_get('session.cookie_path'),
            'domain'   => ini_get('session.cookie_domain'),
            'secure'   => true,
            'httponly' => true,
            'samesite' => 'None'
        ]
    );
    // ### (End) Modified code ###
                ]]>
            </add>
        </operation>
    </file>

    <file name="catalog/controller/startup/session.php" error="log">
        <operation>
            <search position="replace">
                <![CDATA[
            setcookie($this->config->get('session_name'), $this->session->getId(), ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'));
                ]]>
            </search>
            <add action="after">
                <![CDATA[
            // ### Modified code: your-filename.xml ###   
            setcookie(
                $this->config->get('session_name'),
                $this->session->getId(),
                [
                    'expires'  => ini_get('session.cookie_lifetime'),
                    'path'     => ini_get('session.cookie_path'),
                    'domain'   => ini_get('session.cookie_domain'),
                    'secure'   => true,
                    'httponly' => true,
                    'samesite' => 'None'
                ]
            );
                ]]>
            </add>
        </operation>
    </file>
</modification>

User avatar
Newbie

Posts

Joined
Tue Nov 06, 2018 5:57 pm

Who is online

Users browsing this forum: No registered users and 77 guests