How to use the SameSite Cookie Fix

The plugin can also help to solve 2 problems which can happen when you need cookies in an iframe:

  • Blocking of 3rd party cookies – Please see here for this issue.
  • Cookies are not set if they are not Secure and SameSite=None and Partitioned is missing

Below I will explain how to add Secure, SameSite=None and Partitioned to your existing cookies.

First some links where you can get some background info about the issue:

So how should the problem be solved? The optimal way is to add this to all your cookies

SameSite=None; Secure; Partitioned;

Unfortunately most of the time adding this is not simple if you are not the owner of a software and if you have only downloaded it as plugin for WordPress. Advanced iframe has a solution which does modify the cookies on the fly at the time they are normally sent. WordPress offers a hook where the following solution is added: The plugin iterates over all headers and for all where a cookie should be set, it is checked and if SameSite=None; Secure; Partitioned;  is missing, it is added and the cookie is set again. 

How to use it

Please note: Partitioned; will be added in 2023.10 ! So please use .htaccess below for now if you can use it!

You need to install Advanced iframe to the page IN the iframe. If you don’t run WordPress there please check the section below. If you have no access you need to go to the owner to modify the cookies!

On the Advanced Tab go to “SameSite cookie fix”. There you can add the following settings:

  • ALL – All cookies will be checked and modified
  • cookie1, cookie2 – The cookie1 and cookie2 are modified. All other cookies will not be touched
  • cookie1,cookie2,parameter=aiFixSameSite – cookie1 and cookie2 are only modified if the specified parameter is added to the url and set to true. e.g. ?aiFixSameSite=true This setting has to be at the end and is saved in a session cookie as well. This makes it possible to modify the cookies only if the page is in an iframe
  • Debugging: You can enable the debug mode if you call you page with ?aiDebugCookies=true or add aiDebugCookies to your setting.

Please note that the cookies only for the site will be changed. The plugin does not touch any  backend cookies like for the plugin!

Cookies are only set when are part of the header. So if you enable this feature you need to clean all your cookies first as existing ones stay like they are.

Using this feature standalone

You can also use this feature without WordPress. The plugin contains the following file: wp-content\plugins\advanced-iframe\includes\advanced-iframe-main-cookie.php. There is the class AdvancedIframeCookie included which includes some static methods you need to use now. The file has no dependencies. So you can copy it to where ever you like.

To use the functionality you need to include advanced-iframe-main-cookie.php to your page and call   AdvancedIframeCookie::addCookieSameSite($filter);

The filter contains exactly the settings defined above. So a simple example looks like this:

include advanced-iframe-main-cookie.php;
AdvancedIframeCookie::addCookieSameSite('ALL');

You need to include this snipplet BEFORE the first html is sent to the client. So before <html> is sent. You might have to do this before your template file or in a functions.php many sites have.

Using .htaccess to also add the settings to Ajax requests

The settings above only work if the whole page is rendered by a normal page load. If you have a webpage which does load the content by Ajax then this will not work anymore. As you would then need to adopt each Ajax call this is normally not feasible anymore without modifying all the requests.

An easier solution is then to modify all cookies by the server itself. This can be done by adding the following line to your .htaccess file of your server:

Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=None;Partitioned

Depending on your server version you need maybe:
Header always edit Set-Cookie ^(.*)$ $1;Secure;SameSite=None;Partitioned

Be aware that this does now changes all your cookies. If you are in an iframe or not!

If is always to surround this settings with
<ifModule mod_headers.c>...<ifModule>
to make sure it is only executed when the module is loaded.

Using .htaccess to remove/set the X-Frame-Options

Iframes cannot be included if X-Frame-Options is set to “DENY” or “SAMEORIGIN”. You see a message in the browser logs if this header is set or check your page here. If you are able to edit the .htaccess file of the page in the iframe you can remove/overwrite this by setting:

Header set X-Frame-Options ALLOWALL
or
Header unset X-Frame-Options
or
Header always unset X-Frame-Options

Depending on your overall setup and your server version you can try the settings above. As this settings can also be in e.g. ssl-params.conf or security.conf settings will maybe overwritten again.

If is always to surround this settings with
<ifModule mod_headers.c>...<ifModule>
to make sure it is only executed when the module is loaded.

Happy cookie fixing,

Michael