Partners and Developers

Yeah this works, but breaks on safari...

Try this code in htaccess to fix:

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-2]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-2]|Macintosh; Intel Mac OS X.*Version\x2F1[0-2].*Safari)/i">
    Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</If>

Code above wasn't working on my version of safari on 10.14, so I tweaked the regex to exclude all Safari, and now it works.

Doesnt add samesite to Safari and some other incompatible browsers, but adds to Chrome

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-2]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-2]|Macintosh; Intel Mac OS X.*Version\/.* Safari\/)/i">
    Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</If>

Hi @Jason27 
Great help!
I tried code you provided in my .htaccess file. When I put second code it's breaking returning error(please refer attachment) on latest chrome browser(not tested in other browser). Do you know why its happening?
I appreciate you help!
Thank you 

Hi, just use the first one I posted for now. I thought my tweak to the regex was working, but I need to look at that. The first one still doesn't work for safari 10.14.6, but does work on some other versions including iOS. Will take a look at fixing the modified version over the next week. We have until Feb 17 anyways.

This version includes the fix for safari v13 on osx 10.14

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-2]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-2]|Macintosh; Intel Mac OS X.*Version\x2F1[0-2].*Safari|Macintosh;.*Mac OS X 10_14.* AppleWebKit.*Version\x2F1[0-3].*Safari)/i">
    Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</If>

I know some newer versions of iOS/Safari block third party cookies by default anyway - but does this solution though mean older iOS devices would still be susceptible to CSRF attacks if relying on this solution alone ?

Not sure if preventing attacks is my priority right now. Compatibility wise, seems to work afaik.

I think this is not working on latest safari version any updates on how to fix it?

All my settings are direct from an ajax but as per debugging my session is not readable through ajax call.

Try this in your htaccess file and let us know if its working right:

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-2]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-2]|Macintosh; Intel Mac OS X.*Version\x2F1[0-3].*Safari|Macintosh;.*Mac OS X 10_14.* AppleWebKit.*Version\x2F1[0-3].*Safari)/i">
    Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</If>

 cheers

I tried the code above but it's not working on the latest Safari browser. 😞

Whats the user-agent string for the latest safari browser?

---

@Jason27 wrote:

Whats the user-agent string for the latest safari browser?

---

Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Safari/604.1

using my safari browser mobile.

Ok you were referring to IOS, so try this instead:

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-3]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-3]|Macintosh; Intel Mac OS X.*Version\x2F1[0-3].*Safari|Macintosh;.*Mac OS X 10_14.* AppleWebKit.*Version\x2F1[0-3].*Safari)/i">
    Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</If>

Let us know if this works

Can you give a solution for this agent string?

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15

I think Safari fixed this issue in later versions. Are you experiencing a samesite issue with the latest safari?