Brief Summary When I click a link from gmail, the cookies and sessions are lost. But if I copy the link in gmail and paste it in a blank tab, the cookies are retained!
Long Detail At www.mydomain.com, i set cookies and PHP session with following options:
$myCookieSessionOptions = array(
'lifetime' => (time() + 60*60*24*363),
'path' => "/",
'domain' => "." . "mydomain.com",
'secure' => true,
'httponly' => true,
'samesite' => 'Strict'
);
session_set_cookie_params ( $myCookieSessionOptions ) ;
session_name("mySessionName");
session_start();
The above is the code both on page login.php and anotherpage.php. On login.php when I login and set sessions, etc. the session_id() shows up as c7a9c180b767e889ad0161dc613aec41, for example.
When i access anotherpage.php in a blank tab and with some GET parameters (and my code does nothing to the session), i get the same session_id().
However, when the same link for anotherpage.php (along with the get parameters) is sent in an email, then I get a totally new session_id: 3fc7f8749ba6eb46ddd35a0db3a17589 for example.
And in the other tab, which had login.php, the session is lost, as a new session is created, obviously.
The question is if this behaviour is normal?? And this is not with gmail alone, obviously. From “anyotherdomain.com”, when i click on a link to my domain, no cookies are sent!
Very weird! Is there any documentation on this behavior?
Any help will be appreciated
session auto start is Off. Checked in phpinfo
And there’s no code before the above that does anything at all with the sessions
Thanks
Rajan
Advertisement
Answer
I figured it out! If I have samesite=”none”, the problem disappears
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
And tested it & it works fine.
As per the doc:
Strict Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.