Your software
My Mautic version is: 2.16.1
My PHP version is:7.3
Your problem
My problem is: though I upgraded to mautic 2.16 with php 7.3 and apache2.4.29 the samesite cookie problem is not resolved , it is claimed to be fixed in this version https://github.com/mautic/mautic/pull/8436/commits/baf7a2f2bcbb218ec1ea45d0ec8e89d3625db752
If I remove the samesite attribute from apache conf samesite=none attribute doesnot work, however if I enable the headers module and define the following
#Header set Set-Cookie: “language=eng; path=/; HttpOnly; Secure; SameSite=None”
no warnings are shown in chrome browser for cross site cookies. that brings another peculiar issue which is "cors " and my xmlhttprequests are getting blocked - following is error log from chrome browser’s console
These errors are showing in the log:
Access to XMLHttpRequest at ‘http://alpha.eastbayinfo.org/mtc/event’ from origin ‘http://eastbayinfo-beta.thrivebrokers.com’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
In Nginx I dont see this CORS issue but samesite=none cannot be set, My question is If it fixed in new version of mautic - it is claimed to be fixed in this version https://github.com/mautic/mautic/pull/8436/commits/baf7a2f2bcbb218ec1ea45d0ec8e89d3625db752
How can I test this fix that mautic has done, I did not find any clear instructions to test this, please let me know if anyone facing the same issue like me. Any help is Appreciated, Thank you !
This is my Apache configurations for site
<VirtualHost *:80>
ServerAdmin admin@alpha.eastbayinfo.org
DocumentRoot /var/www/html/mautic
ServerName alpha.eastbayinfo.org
ServerAlias alpha.eastbayinfo.org
#RewriteEngine On
#RewriteCond %{HTTPS} off
#RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
<Directory /var/www/html/mautic/>
Options +FollowSymlinks
AllowOverride All
Require all granted
Header set Set-Cookie: "language=eng; path=/; HttpOnly; Secure; SameSite=None"
Header set Access-Control-Allow-Credentials true
#Header set Access-Control-Allow-Origin "http://eastbayinfo-beta.thrivebrokers.com"
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header set Access-Control-Max-Age "36000"
Header set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, accept, client-security-token"
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' *.eastbayinfo.org *.google.com *.googleapis.com *.facebook.com"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/alpha.eastbayinfo.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/alpha.eastbayinfo.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/alpha.eastbayinfo.org/chain.pem