How to fix the SameSite attribute warning?

Question

A cookie associated with a cross-site resource at https://cloudflare.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Is it important that I resolve this? How do I resolve this? I added this at the top of my site but it didn't resolve anything.

<?php
    header('Set-Cookie: cross-site-cookie=name; SameSite=None; Secure');
?>

Answer 1

As a general note, these warnings are purely informational at the moment and are not affecting your sites behaviour. These will become the defaults as of Chrome 80 though, due to hit stable around Feb 2020.

In this instance, the cookie is coming from https://cloudflare.com. As that's not your domain, nothing you put in your site's code is going to affect that cookie. Two things to check here:

1. If the CloudFlare cookie is something you have explicitly set in your account there, e.g. maybe setting a cookie via a worker, then you need to update the SameSite attributes there.
2. If this cookie is from CloudFlare functionality you are not responsible for, then you do not need to take action. CloudFlare is responsible for managing those cookies and updating the attributes.

So, your PHP code looks fine but it will not be affecting cookies outside of your site. You can check https://web.dev/samesite-cookies-explained for more context.