I'm using a custom handler to save sessions in MongoDB and a custom class to create cookies with attribute SameSite using the header() function, though this specification is not widely adopted (yet).
However, the PHP session cookie is started by the session_start() function that uses setcookie() , which forces you to create a cookie session with no SameSite attribute %.
How to customize the cookie of session in PHP ?
Based on a response I received in SO in a question related to RFC6265 that defines the cookie specification "same-site " I have here the solution presented:
Reply to SO
In free translation:
It seems that you can override the "path" or "domain" parameter of the PHP "setcookie" function to sneak into the SameSite attribute because PHP does not escape a semicolon:
setcookie('samesite-test', '1', 0, '/; samesite=strict');
I found the answer interesting and decided to test in phtester using PHP 7.0 the attribute was added to the session cookie using Chrome 63 (desktop) and 62 (Android) in addition to the native browser on Android (62) and Opera (48) ... Firefox 57 does not support bad promises support in the next version (58).
According to caniuse.com the following browsers support the specification (or will offer):
Have you seen this lib: link
Modern cookie management for PHP: This library provides a static method compatible with the PHP setcookie (...) function, but includes support for more recent features such as the SameSite attribute