CakePHP 3.9 - Cookies: how to configure, read and write

Need Help
1

Is there anybody that could give me a small tutorial like here: or tell me, what I have to change?
I understand that the cookie component which I am using now, is deprecated and that I should use middleware. Now I don’t know how to read and write cookies any more.

The console of the Firefox-Broser says:
Einige Cookies verwenden das empfohlene “SameSite”-Attribut inkorrekt. 2

Das Cookie “PflanzenLernen” wird in Zukunft bald abgelehnt werden, da es für das Attribut “SameSite” entweder “None” oder einen ungültigen Wert angibt, ohne das “secure”-Attribut zu verwenden. Weitere Informationen zum “SameSite”-Attribut finden Sie unter https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite.

This ist my code in the App-Controller:

public function initialize() {
parent::initialize();

  $this->loadComponent('RequestHandler', ['enableBeforeRedirect' => false]);      
  $this->loadComponent('Flash', ['clear' => true]);  
  $this->loadComponent('Cookie');
  $this->loadComponent('Optionen');        
  
  date_default_timezone_set('Europe/Zurich');       
  
  $this->Cookie->setConfig([
      'expires' => '+31 days'   
  ]);
  $this->Cookie->configKey('PflanzenLernenUpdateModus', [
      'expires' => '0'   
  ]);
    
  if ($this->Cookie->check ('PflanzenLernenUpdateModus')) {
     $updateModus = $this->Cookie->read ('PflanzenLernenUpdateModus');
  } else {
    	$updateModus = "aus";
     $this->Cookie->write ('PflanzenLernenUpdateModus', "aus");
  }
  Configure::write('updateModus', $updateModus); 
  $this->set('updateModus',$updateModus);

Thank you very much for your help.
Dorothee

2

You are using the SameSite=None flag but lack the secure attribute, which can cause some nasty side-effects with security.
The “proper” fix depends on your needs.

Add the secure attribute

This only works if you have HTTPS enabled on your server (which you should unless you’re a “dummkopf” :slightly_smiling_face:).
Setting this flag will prevent this cookie from being send when not in a secure (“HTTPS”) context.

Only this cookie:

$this->Cookie->setConfig([
    'SameSite' => 'none',
    'secure' => true,
]);

Set the SameSite to Strict

Setting this flag will prevent the cookie from being send when your browser is not on the same domain (eg. example1.com cannot initiate a request to example2.com with this cookie).
This is my recommended way if you have no requirement for the cookies to be available in requests on 3rd party sites (APIs should use something like OAuth2 or SSO anyways).
Best used with the Secure flag as well (for obvious reasons).

$this->Cookie->setConfig([
    'SameSite' => 'Strict',
]);

with httpOnly flag

If you don’t need to use the cookie in your JavaScript you might also want to set the httpOnly flag.
XHR (or AJAX) requests are unaffected by it, just things using the Document.cookie API.

$this->Cookie->setConfig([
    'httpOnly' => true,
]);

More information

Also, I recommend looking into the “new” way of handling Cookies since the way you are using now (using the CookieComponent) is deprecated.

And more reading up for when you’re on the toilet: