Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

bvfi-dev's avatar

Laravel Session cookie cannot be set to 'None' for SameSite

I need to have my website in an iframe in another website. I test it in an iframe when trying to register and I get an Error 419. This is basically the same as: https://laracasts.com/discuss/channels/laravel/setting-same-site-in-seassonphp-doesnt-do-anything and the solution there was: Just convert and transform your whole app, which is something I unfortunately cannot afford right now, time is running low. I changed the 'same_site' => 'none', in session.php and that actually changed the type for the XSRF-TOKEN cookie only, however the _session cookie stayed the same. I also changed the 'partitioned' => true,, it was false, but that didnt do anything. I have Laravel, Livewire and Jetstream installed on a custom domain, on a custom server. Its a fresh installation, I have only transferred the resource views and the controllers code. The rest of the config is as:

'driver' => env('SESSION_DRIVER', 'database'), /*Defaults to database*/
'lifetime' => env('SESSION_LIFETIME', 120),
'expire_on_close' => false,
'encrypt' => false,
'connection' => env('SESSION_CONNECTION'), /*Not specified in .env*/
'table' => 'sessions',
'store' => env('SESSION_STORE'), /* Also not specified in .env*/
'cookie' => env(
        'SESSION_COOKIE',
        Str::slug(env('APP_NAME', 'laravel'), '_').'_session'
    ), /* The cookie in question*/
'domain' => env('SESSION_DOMAIN'), /* Also not specified in .env*/
'secure' => env('SESSION_SECURE_COOKIE'),/* Also not specified in .env*/
'http_only' => true,
'same_site' => 'none',
'partitioned' => true,

The onl SESSION_... variables I have in my .env are:

SESSION_DRIVER=database
SESSION_LIFETIME=120

cookies.png

0 likes
4 replies
Snapey's avatar

explain more about the domain of the page and the domain of the iframe

1 like
bvfi-dev's avatar

@Snapey uhm, completely different urls and domains, but I have control over both. Both https. One is a Ionos website and the other one is this.

Snapey's avatar

@bvfi-dev does the content of the iframe work ok when you access it direct?

1 like
bvfi-dev's avatar

@Snapey Yes, its not a big website, it has a login/register and then users click on a button that does a POST request. None of the POST requests basically work. When I try to register/login I get a 419 error, when I click on that button thats supposed to take to another page, a dialogue pops up and says "This page has expired. Would you like to refresh" EDIT: I fixed the issue by adding SESSION_SECURE_COOKIE=true, however its still not working when on mobile.

Please or to participate in this conversation.