Open in app

Sign in

Write

Sign in

Opencart Samesite Issue

Ayhan Kesicioğlu
3 min readSep 10, 2020

--

Photo by Markus Spiske on Unsplash

The Issue:

The Samesite issue experienced with the new Chrome update is also a problem for opencart. Especially at the payment stage, when you go to the bank page and return to the bank page for 3D security sms, your session terminates and causes serious problems.

The Solution:

First, make sure that the php version you are using is 7.3 or higher. For this solution, at least 7.3 version is required, but if you are using a lower version, you can change the codes by looking at the sources I provided, I didn’t add it because I couldn’t test it. Again, I should mention that I tried this solution on Opencart 2.3 version and it works without any problems. I will give details below, but generally I have solved it by adding ‘samesite’ => ‘None’ and secure parameters before session_start() and setcookie() commands.

Note: I wrote this solution for opencart, but you can also apply it for your own software. The commands you will find and change are again these two commands.

1. system/library/session.php

Find:

session_set_cookie_params(0, '/');
session_start();

Replace:

if (PHP_VERSION_ID < 70300) {
    session_set_cookie_params(0, '/; samesite=None', '.yoursite.com', true, true);
} else {
    ini_set('session.cookie_samesite', 'None');
    session_set_cookie_params([
        'lifetime' => 0,
        'path' => '/',
        'domain' => '.yoursite.com',
        'secure' => true,
        'httponly' => true,
        'samesite' => 'None'
    ]);
}
session_start();

Find:

if ($key != 'PHPSESSID') {
    setcookie($key, $this->session_id, ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'), ini_get('session.cookie_secure'), ini_get('session.cookie_httponly'));
}

Replace:

if (PHP_VERSION_ID < 70300) {
    setcookie($key, $this->session_id, ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'), ini_get('session.cookie_secure'), ini_get('session.cookie_httponly'));
} else {
    $samsite_cookie_options = array (
        'expires' => ini_get('session.cookie_lifetime'),
        'path' => ini_get('session.cookie_path'),
        'domain' => ini_get('session.cookie_domain'),
        'secure' => true, // or false
        'httponly' => true, // or false
        'samesite' => 'None' // None || Lax || Strict
    );
    setcookie($key, $this->session_id, $samsite_cookie_options);
}

Find:

setcookie($key, '', time() - 42000, ini_get('session.cookie_path'), ini_get('session.cookie_domain'));

Replace:

if (PHP_VERSION_ID < 70300) {
    setcookie($key, '', time() - 42000, ini_get('session.cookie_path'), ini_get('session.cookie_domain'));
} else {
    $samsite_cookie_options = array (
        'expires' => time() - 42000,
        'path' => ini_get('session.cookie_path'),
        'domain' => ini_get('session.cookie_domain'),
        'secure' => true, // or false
        'httponly' => true, // or false
        'samesite' => 'None' // None || Lax || Strict
    );
    setcookie($key, '', $samsite_cookie_options);
}

2. catalog/controller/startup/startup.php

Find:

setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);

Replace:

if (PHP_VERSION_ID < 70300) {
    setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);
} else {
    $samsite_cookie_options = array (
        'expires' => time() + 60 * 60 * 24 * 30,
        'path' => '/',
        'domain' => $this->request->server['HTTP_HOST'],
        'secure' => true, // or false
        'httponly' => true, // or false
        'samesite' => 'None' // None || Lax || Strict
    );
    setcookie('language', $code, $samsite_cookie_options);
}

Find:

setcookie('tracking', $this->request->get['tracking'], time() + 3600 * 24 * 1000, '/');

Replace:

if (PHP_VERSION_ID < 70300) {
    setcookie('tracking', $this->request->get['tracking'], time() + 3600 * 24 * 1000, '/');
} else {
    $samsite_cookie_options = array (
        'expires' => time() + 3600 * 24 * 1000,
        'path' => '/',
        'domain' => $this->request->server['HTTP_HOST'],
        'secure' => true, // or false
        'httponly' => true, // or false
        'samesite' => 'None' // None || Lax || Strict
    );
    setcookie('tracking', $this->request->get['tracking'], $samsite_cookie_options);
}

Find:

setcookie('currency', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);

Replace:

if (PHP_VERSION_ID < 70300) {
    setcookie('currency', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);
} else {
    $samsite_cookie_options = array (
        'expires' => time() + 60 * 60 * 24 * 30,
        'path' => '/',
        'domain' => $this->request->server['HTTP_HOST'],
        'secure' => true, // or false
        'httponly' => true, // or false
        'samesite' => 'None' // None || Lax || Strict
    );
    setcookie('currency', $code, $samsite_cookie_options);
}

3. Search all your files and change the session_start() and setcookie() commands as above. Actually, the changes on the first two files are sufficient, but I still recommend scanning your other files to avoid any surprises.

Resources:

Samesite
Opencart
Google Chrome

--

--

Ayhan Kesicioğlu

Written by Ayhan Kesicioğlu

2 Followers

Php developer. e-Commerce, Js, Css, AI, Adobe PS & ID

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams