Mautic Community Forums

Setting cookie to samesite=none not working

Your software
My Mautic version is: 2.16.1
My PHP version is:7.3

Your problem
My problem is: though I upgraded to mautic 2.16 with php 7.3 and apache2.4.29 the samesite cookie problem is not resolved , it is claimed to be fixed in this version https://github.com/mautic/mautic/pull/8436/commits/baf7a2f2bcbb218ec1ea45d0ec8e89d3625db752
If I remove the samesite attribute from apache conf samesite=none attribute doesnot work, however if I enable the headers module and define the following
#Header set Set-Cookie: “language=eng; path=/; HttpOnly; Secure; SameSite=None”
no warnings are shown in chrome browser for cross site cookies. that brings another peculiar issue which is "cors " and my xmlhttprequests are getting blocked - following is error log from chrome browser’s console

These errors are showing in the log:
Access to XMLHttpRequest at ‘http://alpha.eastbayinfo.org/mtc/event’ from origin ‘http://eastbayinfo-beta.thrivebrokers.com’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

In Nginx I dont see this CORS issue but samesite=none cannot be set, My question is If it fixed in new version of mautic - it is claimed to be fixed in this version https://github.com/mautic/mautic/pull/8436/commits/baf7a2f2bcbb218ec1ea45d0ec8e89d3625db752
How can I test this fix that mautic has done, I did not find any clear instructions to test this, please let me know if anyone facing the same issue like me. Any help is Appreciated, Thank you !

This is my Apache configurations for site

<VirtualHost *:80>

    ServerAdmin admin@alpha.eastbayinfo.org
    DocumentRoot /var/www/html/mautic
    ServerName alpha.eastbayinfo.org
    ServerAlias alpha.eastbayinfo.org
    #RewriteEngine On
    #RewriteCond %{HTTPS} off
    #RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

<Directory /var/www/html/mautic/>

    Options +FollowSymlinks
    AllowOverride All
    Require all granted
    Header set Set-Cookie: "language=eng; path=/; HttpOnly; Secure; SameSite=None"
    Header set Access-Control-Allow-Credentials true
    #Header set Access-Control-Allow-Origin "http://eastbayinfo-beta.thrivebrokers.com"
    Header set Access-Control-Allow-Origin "*"
    Header set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    Header set Access-Control-Max-Age "36000"
    Header set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, accept, client-security-token"
    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' *.eastbayinfo.org *.google.com *.googleapis.com *.facebook.com"
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLCertificateFile      /etc/letsencrypt/live/alpha.eastbayinfo.org/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/alpha.eastbayinfo.org/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/alpha.eastbayinfo.org/chain.pem