None of my cookies have a SameSite attribute set. I have just noticed that Firefox DevTools console shows the following warning for my website:
Cookie “PHPSESSID” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
It also displays exactly the same warning message for my first party cookies (such as that I use to store a shopping basket) as well as for all the Google gtag cookies. I have checked and both Safari and Chrome show no warning. If I didn't happen to use Firefox for development I would never have known!
The link provided to the Mozilla website provides no timeframe for when such cookies may be rejected by the browser and confusingly states that cookies without a SameSite attribute will be treated as Lax (which would be fine).
So my question really is can I ignore this warning as it seems somewhat erroneous or must I take steps to set a SameSite attribute for all cookies including session cookies which is a bit of a hassle!
Thanks.
To answer my own question, in case this is of help to anyone I decided to be on the safe side I wouldn't ignore the Firefox warning and implemented the following code in htaccess:
<ifmodule mod_headers.c>
Header always edit Set-Cookie ^(.*)$ $1;SameSite=Lax
</ifmodule>
This sets SameSite to Lax for all my first party cookies including the PHP session cookie.
I didn't set Secure and SameSite to None as I don't require this and anyway it apparently has some support issues on older browsers.