'How can I resolve a cross-site Google Analytics cookie `SameSite=None` warning in Chrome on Apache 2.4 and PHP 7.1?
My client's website is getting these SameSite cookie warnings in Chrome. I've searched all over and I can't get the warnings to go away. The cookies are due to Google Ad Conversion Tracking on a Wordpress Site. The site is on a Apache/2.4.7 (Ubuntu) hosted by DreamHost running PHP 7.1 for compatibility reasons. To my .htaccess file, I've tried adding:
Header always edit Set-Cookie (.*) "$1; SameSite=None"
and I tried
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
...and I tried
Header always edit Set-Cookie (.*) "$1; SameSite=None;Secure"
as well as many other combinations including SameSite=Lax
One guide recommends for PHP 7.2 and below:
header('Set-Cookie: cross-site-cookie=bar; SameSite=None; Secure');
But that gives me a 500 Internal Server Erorr.
Yet I am still getting the following three errors:
A cookie associated with a cross-site resource at was set without the
SameSiteattribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and .(index):1 A cookie associated with a resource at http://doubleclick.net/ was set with
SameSite=Nonebut withoutSecure. A future release of Chrome will only deliver cookies markedSameSite=Noneif they are also markedSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.(index):1 A cookie associated with a resource at http://google.com/ was set with
SameSite=Nonebut withoutSecure. A future release of Chrome will only deliver cookies markedSameSite=Noneif they are also markedSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.
In my research, there seems to be limited information about the warning, and in the guides that are available, I'm not sure if I must identify the cookie by name or how to fix the cookie/headers at their source.
Solution 1:[1]
I would look at the tracker script. Here is the section about cross-domain traffic in the gtag.js docs. Make sure only the domain is present and no www, http, ect.
gtag('set', 'linker', {
'domains': ['example.com', 'example-b.com']
});
Solution 2:[2]
Have you tried the following ?
Header Set Access-Control-Allow-Origin "*"
Header Set Access-Control-Allow-Credentials: true
Header set Set-Cookie: "ACookieAvailableCrossSite; SameSite=None; Secure"
The Console warning doesn’t mean that anything is necessarily broken. your site continues to work as expected.
Hope this link will help you. Samesite-cookies-ByDefault
Solution 3:[3]
Set the field in gtag.js
You can set the field with an inline gtag.js implementation as well.
gtag('config', 'UA-XXXXXX', {
cookie_flags: 'max-age=7200;secure;samesite=none'
});
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Ususipse |
| Solution 2 | |
| Solution 3 | drozdo |