Omnipay sets the PHPSESSID cookie which now requires the SameSite attribute. How can SameSite be added to the cookie?
Asked
Active
Viewed 345 times
1 Answers
0
Looking through the code, I'm not convinced Omnipay has a specific cookie dependency. The PHPSESSID cookie is controlled through your php.ini configuration. You can set this with the session.cookie_samesite key in the file or using session_set_cookie_params().
You will need to determine what the correct SameSite attribute to set for your site is. I would try setting Lax first and then test your checkout flow, especially any stages that feature a redirect (such as returning from 3-D Secure verification or PayPal). I would not recommend setting your main session cookie to SameSite=None; Secure unless your entire site is used in an embedded, third-party context. However, if things are broken you can use this as a temporary fix, just keep in mind you are losing the security benefits.
Ideally, you should also ensure that the cookie is set to Secure and HttpOnly if possible.
rowan_m
- 2,893
- 15
- 18