After migrate to LiteSpeed server-> .htaccess header edit

#1
Dear all,

I’ve just migrate to a litespeed server and was very exited about it! Sadly have a issue that’s making me loose half of my sales.

Regarding Google privacy Policy, before migrating, i had on .htaccess:

Header always edit Set-Cookie (.*) "$1; SameSite=None; Secure"

In my htaccess file, and I just find out that edit is no supported,

Anyone with know a walkarround for marking all cookies with SameSite=None; Secure.?

Thanks for the help!
 

serpent_driver

Well-Known Member
#3
Normally there is no need to add defines for such cookie values, because they are default. Please provide us with information about control panel, PHP version, application.
 
#4
Thanks for your'e answer Serpent_Driver,

Im running PHP 7.2 on a shared "turbo" a2Hosting server, the app i'm using is Prestashop 1.7.6.7

Server information:

Server Information
Item Detail
Hosting Package Turbo Boost 2020
Server Name az1-ts2
cPanel Version 86.0 (build 24)
Apache Version 2.4.43
PHP Version 7.2.31
MySQL Version 10.3.23-MariaDB-cll-lve
Architecture x86_64
Operating System linux
Shared IP Address 68.66.226.81
Path to Sendmail /usr/sbin/sendmail
Path to Perl /usr/bin/perl
Perl Version 5.16.3
Kernel Version 3.10.0-962.3.2.lve1.5.36.el7.x86_64

do you need any more help.

Thanks again.
 
#5
If it give more information, this are the cookies that chrome report as error when going back from payment site back to prestashop instance:

1598294585253.png

Thanks
 

serpent_driver

Well-Known Member
#6
I have a PrestaShop demo running with LSWS and LSCache and all cookies are secure and same site: none without any modifications. If I check cookies at https://www.agujasycrochet.cl all cookies set by PrestaShop have correct values. If there are cookies set by external host (Google Analytics) or by plugins (cookielaw_module) and if such cookies don't have the correct values you have to ask them why they don't set correct values.

This is not a LiteSpeed issue!
 
#8
Dear Serpent_driver,

You are right that everything seems ok, (i'm not trying to correct the google ones)

The issue appears when you pay. When paying, user is redirected to a third party site:

1598295685248.png
And when you spend more than two minutes in the third party site, cookies are rejected and this error occur:

1598295983125.png

For fixing this, i just add to .htaccess : Header always edit Set-Cookie (.*) "$1; SameSite=None; Secure"

But now that i migrate to LiteSpeed server, as edit is not supported, the fix stop working, and the errors star happening again :(

So maybe there ir a walkarround for marking all cookies with SameSite=None; Secure.?
 

Attachments

serpent_driver

Well-Known Member
#9
Again, all cookies set by PrestaShop have correct values. Cookies with wrong values are either set by external host or by plugin and these cookies can't be overwritten. Ask Google or plugin manufacturer to fix it.
 
#10
Dear Serpent, I appreciate your'e support, i'm very clear that the error is generated by "code" and not by LiteSpeed, but a valid walkarround was to just add to .htaccess : Header always edit Set-Cookie (.*) "$1; SameSite=None; Secure". (not supported by LiteSpeed)

Hence, Im asking if there is something similar to that in LiteSpeed (google or pluggin vendor can take months and we are loosing sales every hour).

Regards
 
#11
and we are loosing sales every hour
Why do you lose money? A normal user doesn't care about cookie values if page and checkout is working without any problems.

And the last time! If a cookie is set by external host or a proxy like on Google for Analytics it is out of your control.
But you can give it try. Have a look at:
https://webmasters.stackexchange.com/questions/117745/overwriting-cookies-in-htaccess
https://stackoverflow.com/questions...ie-response-in-apache-httpd/24246462#24246462
 
#12
Hi bgm2002~ you can use
ForceSecureCookie httponly secure same_site_none (See https://blog.litespeedtech.com/2020/11/02/header-edit-set-cookie-alternative/)
in replacement of Header edit ... in apache.

Chrome does require writing it precisely (otherwise it will be viewed as Lax), so the 3rd party can access the cookie without any limitation. that's why we added the line below in Apache
Header always edit Set-Cookie (.*) "$1; SameSite=None; Secure"

But it doesn't work at Safari, if you add SameSite=None, secure tag, Safari will view it as strict. So we need <If> <Else> (conditional context ) to set the SameSite header on Chrome only.

I'm still trying if LiteSpeed 6.0 support <If><Else> for ForceSecureCookie, but with no luck so far, <If><Else> did work, but not for ForceSecureCookie tag, seems it's command in another world.....:)

Ryan
 
Top