Hi guys!
Hi Joaquín! Having a similar issue with a Moodle install I work on, and I'm trying to figure out the problem.
This has been around for a while, but I think it might be more frequent because Google just rolled out enforcement of this SameSIte stuff for Chrome 80+ on August 11th: https://www.chromium.org/updates/same-site.
Do you know which version of PHP are you running? If you're running 7.3 or higher, the cookie-setting code is not line 314 but rather these lines: https://github.com/moodle/moodle/blob/9ce2442ea91d7872a37e7d434d29ba2baf4671a5/lib/classes/session/manager.php#L296-L310.
What's happening for me is that this is working on one site running PHP 7.3. and Moodle 3.8.2 20200309, but it's not working on another with the same specs. ¯\_(ツ)_/¯ Trying to figure out if it's a difference in the PHP environments etc. Will keep you posted if I discover anything! =)
Hi Mike!
In this particular web server I´m running PHP 7.1.33, by that the line 314 should do the work for me. Accordint to this, the function
session_set_cookie_params(with five parameters)
dont set the same-site value, I tried with
session_set_cookie_params( array $options )
and it break up, maybe because a have PHP 7.1.33, I dont known. I tryed to pass the parameter in other form and work! :D no more problem with "same-site" issue with Google Chrome, until I try to login in Moodle. The login don´t work, in Opera browser neither. Ups.
In your case, what are you seeing in the console of Google Chrome? in my case I see the "same-site" issue, next I fix it, and see a new issue "secure" (it´s needed for the cookie), next I fix it, and see a new issue "SSL certificate" (it´s needed for the site now) and next I found the problem of do not login in Opera browser.
If you have any clue, let me know, see you!
Strange! I did manage to fix my PHP 7.3 troubles, but it sounds like you've got something else going on.
Some ideas:
MAYBE NOT AN IFRAME AFTER ALL
Reading through your original question again, I'm actually not sure if the iframe solution is your best move here. It might be simpler to add a redirect through your server.
Of course, maybe I'm missing something and you really need an iframe! In that case, I'd suggest reverting any changes you might've made to lib/classes/session/manager.php, since the 3.8.2 code should work if I'm understanding your desired application correctly (serving Moodle, which is located in subdomain.anotherdomain, in an iframe from a page in domain/folder).
If Moodle is running on a server with PHP 7.1, here's what happens in manager.php:
- The session starts in start()
- prepare_cookies is called in start(), and because you're on PHP 7.1, session_set_cookie_params is called on line 314 properly for PHP 7.1 (which doesn't allow for the array of options signature; that didn't show up until 7.3; see the changelog on https://www.php.net/manual/en/function.session-set-cookie-params.php), and samesite isn't addressed at all in the session_set_cookies_params call.
- A few lines later in start(), initialise_user_session gets called, and at the end of that function, the hack that was added for Moodle 3.8.2 gets called: append_samesite_cookie_attribute. This is what Moodle uses to append the samesite attribute onto cookies for PHP versions less than 7.3.
- append_samesite_cookie_attribute checks to make sure the samesite stuff is necessary by checking should_use_samesite_none, and if it is, it appends "; SameSite=None" to the Set-Cookie header for all session_name() cookies.
HOW I FIXED MY PROBLEM (PHP 7.3)
Even tho my fix for my issue was for PHP 7.3, it might also be relevant/helpful for you (or for anybody else reading this after a Google!). From what I understand, your session.cookie settings in local or main php.ini files override whatever you set through script for individual cookies (reference), so session variables you set there would override Moodle's settings and attempts.
So in your case, you'd want to make sure something in your php.ini isn't overriding secure cookies by setting session.cookie_secure to 0 or Off. If you want to ensure secure cookies, you'd put this in your php.ini:
session.cookie_secure = 1
In my case, the problem was with session.cookie_samesite (only available in >= PHP 7.3) in a main php.ini file, where it was being set like this:
session.cookie_samesite = None
and needed to be set like this:
session.cookie_samesite = "None"
Because none without quotes means false in PHP ini files, and if you set it to false, you're unsetting it, which makes PHP not send the samesite attribute at all, and Chrome 80+ assumes that a missing samesite attribute means samesite=Lax ¯\_(ツ)_/¯ (reference).
***
Hope something in all that helps! =) The tl;dr: don't mess with manager.php, revert any changes you made there, maybe look into doing a mod_rewrite redirect instead of serving Moodle in an iframe, and if that isn't an option for some reason, check your php.ini files.
Because otherwise is_moodle_cookie_secure() wouldn't return true, so neither would should_use_samesite_none(), and append_samesite_cookie_attribute() wouldn't append the SameSite=None onto the cookies. =)