Asked  7 Months ago    Answers:  5   Viewed   30 times

I created a chrome extension and from popup.js I called PHP script (Using Xhttprequest) that reads the cookie. Like this:

$cookie_name = "mycookie";

    echo $_COOKIE[$cookie_name];
    echo "nocookie";

But I'm getting this warning at errors in extensions.

A cookie associated with a cross-site resource at (Here is my domain) was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and

I tried to create a cookie like this but it didn't help.

setcookie($cookie_name,$cookie_value, time() + 3600*24, "/;samesite=None ","", 1);

Following instructions from this question.



I'm also in a "trial and error" for that, but this answer from Google Chrome Labs' Github helped me a little. I defined it into my main file and it worked - well, for only one third-party domain. Still making tests, but I'm eager to update this answer with a better solution :)

EDIT: I'm using PHP 7.4 now, and this syntax is working good (Sept 2020):

$cookie_options = array(
  'expires' => time() + 60*60*24*30,
  'path' => '/',
  'domain' => '', // leading dot for compatibility or use subdomain
  'secure' => true, // or false
  'httponly' => false, // or false
  'samesite' => 'None' // None || Lax || Strict

setcookie('cors-cookie', 'my-site-cookie', $cookie_options);

If you have PHP 7.2 or lower (as Robert's answered below):

setcookie('key', 'value', time()+(7*24*3600), "/; SameSite=None; Secure");

If your host is already updated to PHP 7.3, you can use (thanks to Mahn's comment):

setcookie('cookieName', 'cookieValue', [
  'expires' => time()+(7*24*3600,
  'path' => '/',
  'domain' => '',
  'samesite' => 'None',
  'secure' => true,
  'httponly' => true

Another thing you can try to check the cookies, is to enable the flag below, which—in their own words—"will add console warning messages for every single cookie potentially affected by this change":


See the whole code at:, they have the code for same-site-cookies too.

Wednesday, March 31, 2021
answered 7 Months ago

You can set the value to "None" using ini_set. There's no check that the value is supported when that function is used:

ini_set('session.cookie_samesite', 'None');

session_set_cookie_params can also set it:

session_set_cookie_params(['samesite' => 'None']);

The bug report for this to be supported in php.ini is here.

As @shrimpwagon said in a comment below, session.cookie_secure must be true for this to work. PHP doesn't require it, but browsers do.

Wednesday, March 31, 2021
answered 7 Months ago

You're supposed to give a UNIX timestamp of when the cookie will expired (calculated since the epoch) as the third argument to the function call.

The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch. In other words, you'll most likely set this with the time() function plus the number of seconds before you want it to expire. Or you might use mktime(). time()+60*60*24*30 will set the cookie to expire in 30 days. If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes).

I suggest you read the documentation for setcookie.

Saturday, May 29, 2021
answered 5 Months ago

Make sure you have a domain that is known by both server and client. echo $_SERVER['HTTP_HOST'] should tell you the exact same domain that your browser has. If not, cookie will not be accepted by the browser.

Make sure your server and client time is perfectly correct. Browser will reject a cookie with a wrong datetime.

Do not write any other code and just do:

$cookie_name = "user";
$cookie_value = "John Doe";
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); // 86400 = 1 day 
// expiration
echo date("H:i:s d.m.Y")."<br>";
echo $_SERVER['HTTP_HOST']."<br>";

and refresh the page twice.

Also check out manual at:

Saturday, May 29, 2021
answered 5 Months ago

Use path just like you did, but set an additional ;-delimited attribute "domain". If you start the domain value with a . it will allow any subdomains ( would effectively allow *

Full documentation for the various cookie options here

Sunday, October 10, 2021
answered 2 Weeks ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :