I just got a warning in Chrome that the way I've been setting a cookie needs to be updated with the "SameSite" Attribute. I found this php page here: https://wiki.php.net/rfc/same-site-cookie
Based on this, I have updated my setCookie to:
setcookie("foo", $res["ID"] . "|" . $_POST["bar"], time() + (86400 * 30), "/", $_SERVER['HTTP_HOST'], false, false, "Lax"); // 86400 = 1 day
from
setcookie("foo", $res["ID"] . "|" . $_POST["bar"], time() + (86400 * 30), "/"); // 86400 = 1 day
My lamp project is hosted on AWS, but I also test on my local box.
My question are:
(a) have I done this correctly? I would normally test this before coming here, but in this case testing means deploying to AWS and debugging from there, which is tedious and makes my site potentially unstable.
(b) In PHP, is there any way to just set SameSite="Lax" while keeping the defaults for domain, secure, and httponly parameters?
I was able to solve both questions using an associative options array
$options = array('expires' => (time() + (86400 * 30)), 'samesite' => 'Lax');
setcookie("writer", $res["foo"] . "|" . $_POST["bar"], $options);