Page 1 of 3
How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Mon Mar 16, 2020 2:35 pm
by HAO
Recently my payment gateway module failed to complete the checkout correctly, After contacting the payment gateway module company, it may be related to the support of iOS12 devices.
A technician from the payment gateway company told me that I had to modify the relevant code, But I don't know how to start? Can anyone help me? Thank you very much!
References:
Chrome 80 default SameSite=Lax
https://medium.com/@azure820529/chrome- ... ba0bc785a3
https://www.chromestatus.com/feature/5088147346030592
https://www.opencart.com/forum/viewtopi ... 20&t=87607
https://www.ithome.com.tw/news/133796
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Mon Mar 23, 2020 8:11 pm
by HAO
Can anyone tell me how to solve this?
Because it's very troublesome for me, I need to fix this!
Please help me, thanks!
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Mon Mar 23, 2020 8:33 pm
by ADD Creative
You need to provide more information as to what the problem is. Which cookie needs to accessed from a third-party domain? It's probably related to you payment gateway.
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Mon Mar 23, 2020 8:49 pm
by HAO
Thanks for your reply!
I think this is the information I can provide, Dear Sir, Can you test for me?
https://github.com/GoogleChromeLabs/sam ... -601984395
My Payment Gateway Module:
https://www.ecpay.com.tw/Service/Appcntr_Shpcar
Thank you!
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Mon Mar 23, 2020 10:19 pm
by ADD Creative
Have you cleared all your browser cookies or tested in incognito mode?
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Mon Mar 23, 2020 10:27 pm
by HAO
I did not find the problem in Firefox, In fact, I use Google Chrome without any problems.
However, there are still a few customers who report such problems with us, I don't know why this happens.
But according to my payment gateway company told me, This is related to issues and SameSite, And can't help me...
Can you perform related tests for me?
Thank you!
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Tue Mar 24, 2020 1:27 am
by ADD Creative
As far as I can tell it worked OK. The only third-party cookie I could see was one for google. This was correctly set with SameSite = None and Secure. There we no messages in the console about blocked third-party cookies.
Try getting your customers to clear their cookies. It could be that they have the cookies without the SameSite attribute and it's not getting updated.
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Tue Mar 24, 2020 12:29 pm
by HAO
So you mean, I don’t need to make any changes to OpenCart and my payment gateway module, I just need to notify the customer, and asking him to clear his browser's cookies can solve this problem?
Do you mean that?
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Tue Mar 24, 2020 6:53 pm
by ADD Creative
Yes.
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Fri Apr 03, 2020 11:27 am
by HAO
I have been informed and tested by other friends, I confirm that my payment module does not support SameSite correctly.
My test step:
Enter in the URL column of Chrome: chrome://flags/ and search "SameSite"
Enable the following experiments:
SameSite by default cookies
Cookies without SameSite must be secure
After that, use my payment gateway module and select the payment method of "Shop Pickup Payment"
He found during testing, When he chose this payment method to complete the checkout process, Shopping Cart items will be emptied.
My friend told me this is a problem with the payment gateway module, But I don't know how to fix it.
Can you confirm my new link for me?
https://github.com/GoogleChromeLabs/sam ... -608208347
-----------------
I referenced some articles
https://github.com/GoogleChromeLabs/sam ... ter/php.md
https://stackoverflow.com/questions/581 ... nhHqatooYI
A friend in Taiwan said that I wanted to put these codes in a cookie-related file:
Code: Select all
2.3.0.2-compiled/upload/catalog/controller/extension/module/amazon_login.php(10): setcookie('amazon_Login_state_cache', '', time() - 4815162342);
2.3.0.2-compiled/upload/catalog/controller/extension/module/amazon_login.php(195): setcookie('amazon_Login_state_cache', '', time() - 4815162342);
2.3.0.2-compiled/upload/catalog/controller/extension/module/amazon_pay.php(10): setcookie('amazon_Login_state_cache', '', time() - 4815162342);
2.3.0.2-compiled/upload/catalog/controller/extension/module/amazon_pay.php(217): setcookie('amazon_Login_state_cache', '', time() - 4815162342);
2.3.0.2-compiled/upload/catalog/controller/startup/startup.php(96): setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);
2.3.0.2-compiled/upload/catalog/controller/startup/startup.php(124): setcookie('tracking', $this->request->get['tracking'], time() + 3600 * 24 * 1000, '/');
2.3.0.2-compiled/upload/catalog/controller/startup/startup.php(156): setcookie('currency', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);
2.3.0.2-compiled/upload/system/library/session.php(50): setcookie($key, $this->session_id, ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'), ini_get('session.cookie_secure'), ini_get('session.cookie_httponly'));
2.3.0.2-compiled/upload/system/library/session.php(77): setcookie($key, '', time() - 42000, ini_get('session.cookie_path'), ini_get('session.cookie_domain'));
In simple terms, he asked me to add the following code to these files:
setcookie('key', 'value', time()+(7*24*3600), "/;
SameSite=None; Secure");
Specifically what should i do?
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Fri Apr 03, 2020 7:52 pm
by ADD Creative
See
https://github.com/GoogleChromeLabs/sam ... ter/php.md for how to add same site to PHP setcookie. It's easiest it you are using PHP 7.3+.
However, apart from maybe the language and currency, I can't think why your payment gateway module would need access to those cookies you listed. The problem more likely lies with the payment gateway module, which you will neet to get the author to fix.
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Fri Apr 03, 2020 7:58 pm
by HAO
My cPanel can switch to php 7.3, So this is no problem.
But the important thing is, Assuming my environment is already php 7.3, How can I apply the modifications to the OpenCart 2.3.0.2 file according to that article?
Anyway, My payment gateway module company is unwilling to help me, I have to solve this problem by myself, But I don't have the ability to program.
So I need a clear modification step, Can you help me?
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Sun Apr 05, 2020 8:09 pm
by webit
The problem is that Opencart should set a session cookie using a new attribute for samesite / secure (example samesite=None, Secure=true), otherwise Chrome will abort the cookie. In case a payment system is used that uses redirection and in case the customer takes over 2 minutes to finalize the payment, the customer session is lost when the customer returns to the store. The needed cookie attributes are only supported from PHP 7.3 (with the set_cookie function), in other cases the payment gateway providers should make a quickfix to prevent this problem, or an override should be made for OpenCart (although OpenCart should come up with a solution according to me). Chrome is implementing this gradually, so you might not experience this problem at the moment. You can test by setting the samesite cookie configuration in your Chrome browser like explained at
https://www.ghacks.net/2020/02/05/chrom ... -upgrades/
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Sun Apr 05, 2020 8:25 pm
by HAO
So you mean, my payment gateway module company must solve this problem for me, right?
Anyway, I have installed php 7.3 now, I need to be able to solve this problem with the modification steps I can understand.
Open file, Search, Replace (Or Add code above or below)
Can anyone tell me what to do?
Because my payment gateway is really hard to do for me, If it is the part that OpnCart can handle, I hope to get your help.
Thank you!
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Sun Apr 05, 2020 9:17 pm
by ADD Creative
You need to change all the setcookies calls to the 2nd format by putting options in an array.
https://www.php.net/manual/en/function.setcookie.php
So
Code: Select all
setcookie('currency', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);
Becomes
Code: Select all
setcookie('currency', $code, ['expires' => time() + 60 * 60 * 24 * 30, 'path' => '/', 'domain' => $this->request->server['HTTP_HOST'], 'samesite' => 'None', 'secure' => true]);
I wouldn't bother doing the Amazon cookies unless you are using the Amazon login or pay. I'd be weary of doing the session cookies, unless you have to, as one of the reasons for changing the default of SameSite was to protect cookies such as the session cookie.
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Mon Apr 06, 2020 2:12 am
by HAO
Thank you for your reply!
Because someone told me that I only need to search and change the code for the following keywords:
So you mean I just need to modify these two codes?
Code: Select all
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);
and
Code: Select all
setcookie('currency', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);
Because I don't need to use Amazon, I should not need to modify this file, But how do I modify other files?
Thank you!
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Tue Apr 07, 2020 1:20 am
by ADD Creative
Yes, change those two lines with setcookie first and the tracking one. If that doesn't help you have to look at changing the setcookie lines in system/library/session.php as well.
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Tue Apr 07, 2020 1:28 am
by HAO
I have modified the file, But the error warning still exists.
What should I do next?
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Tue Apr 07, 2020 6:18 pm
by ADD Creative
What files have you changed so far? What warnings are you still getting? What cookies and flags do you see in your web browser's development tool?
Re: How to make OpenCart 2.3 properly support SameSite cookies for Chrome 80?
Posted: Tue Apr 07, 2020 6:37 pm
by HAO
Thank you very much for the help of ADD Creative, I seem to have solved this problem!
Thank you!
Open file:
upload/catalog/controller/startup/startup.php
Found
Code: Select all
setcookie('currency', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);
Replace
Code: Select all
setcookie('currency', $code, ['expires' => time() + 60 * 60 * 24 * 30, 'path' => '/', 'domain' => $this->request->server['HTTP_HOST'], 'samesite' => 'None', 'secure' => true]);
Found
Code: Select all
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $this->request->server['HTTP_HOST']);
Replace
Code: Select all
setcookie('language', $code, ['expires' => time() + 60 * 60 * 24 * 30, 'path' => '/', 'domain' => $this->request->server['HTTP_HOST'], 'samesite' => 'None', 'secure' => true]);
Open file:
upload/system/library/session.php
Found
Code: Select all
setcookie($key, $this->session_id, ini_get('session.cookie_lifetime'), ini_get('session.cookie_path'), ini_get('session.cookie_domain'), ini_get('session.cookie_secure'), ini_get('session.cookie_httponly'));
Replace
Code: Select all
setcookie($key, $this->session_id, ['expires' => ini_get('session.cookie_lifetime'), 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true, 'httponly' => ini_get('session.cookie_httponly')]);
Found
Code: Select all
setcookie($key, '', time() - 42000, ini_get('session.cookie_path'), ini_get('session.cookie_domain'));
Replace
Code: Select all
setcookie($key, '', ['expires' => time() - 42000, 'path' => ini_get('session.cookie_path'), 'domain' => ini_get('session.cookie_domain'), 'samesite' => 'None', 'secure' => true]);