Cross site cookies

Do we have the ability to set Security Provider cookies with SameSite=None and Secure?

I have logins working with iOS and Android, however the editor and browser do not work and I’m assuming this is the reason with chrome updates.

Bumping this as the newer versions of chrome will block instead of warn.


Same question from me, now getting pretty urgent

@patrick Looks like this has your name on it :slight_smile:

Can you comment? Right now, I’m working on a mobile site and using the browser platform for testing, but the PHPSESSID is not coming through. I’m assuming this is causing my site security to break but I’m not positive. Is this a cross site cookie issue? Or is it because I’m running on localhost?

Either way, testing is a challenge right now since the editor is blocking cross site cookies, and my browser is warning, but still not working…

Could really benefit from your expertise today!

This option will be included in server connect in this week’s update.


Over the PHPSESSID I have no control, that is being set by PHP, you can configure that in the php.ini

1 Like

Okay, so based on your description here:

A user should remain logged in to the security enforcer even if there is no PHPSESSID, correct?

My situation is a localhost in front end, and fqd on the back end. The security enforcer cookie is set, however I immediately get a null value for the id. And in this particular case, the security cookie is not blocked. What am I missing?

Some visuals:

Screen Shot 2020-02-25 at 1.17.29 PM

The cookie:

I am still having trouble here.

2.6 Wappler

I’m now setting the secure and samesite=none however the chrome warning persists and the setting don’t seem to be impacting the cookie that reaches the client.

Server settings

Resulting cookie in the browser

And thus, the current user is never found.

But this is on a localhost fw7 client, and chrome is only warning, not blocking…so I’m just at a lost.


Can you check in the source code of /dmxConnect/modules/Connections/siteSecurity.php if the secure and sameSite options are added

Hey @patrick

If you meant /dmxConnect/modules/SecurityProviders/siteSecurity.php, then yes the secure and sameSite are in there…

Screen Shot 2020-02-28 at 8.03.13 AM

That looks good, check if you have the updated dmxConnectLib/lib/core/Response.php and have uploaded it to the server. On line 86 you should find if (isset($options->secure)) { if you have the new file. If you have an old file then delete it and let Wappler copy the new one by saving the server action.

And it was properly uploaded to server.


Just wanted to let you know that on ios, the setting of secure and samesite works. Just not on localhost.

Thank you, I was already thinking it was not being send at all. What is the difference with your ios and localhost, why would it work on the one and not on the other. The headers should be in both cases the same.

I am starting to believe it relates to needing to inject the first cookie when using wkwebview.

document.addEventListener('deviceready', () => {

If I take that code out, then ios breaks as well.

However, on localhost, it looks like wkwebview doesn’t load (which makes sense, right?)

Screen Shot 2020-02-28 at 3.49.14 PM


Sorry to pester on this one, but it’s really hard to test things in the browser without a valid current user.

To review, when using localhost with a port number, the security provider does not work for me. As noted above, I’m wondering if because we need to inject a cookie to help wkwebview work, that this is our issue since this will not load in a browser.

Any Ideas?