How to set cookie_samesite option in Laminas MVC Session?

Hi, I’ve got the following code in my application and for some reason cookie_samesite option is not set in the application.

    'service_manager' => [
        'aliases' => [
            'Laminas\Authentication\AuthenticationService' => 'lmcuser_auth_service',
        ],
        'factories' => [
            \Laminas\Session\ConfigProvider::class => \Laminas\Session\Service\SessionConfigFactory::class,
        ],
        'abstract_factroies' => [
            \Laminas\ServiceManager\AbstractFactory\ReflectionBasedAbstractFactory::class,
        ],
    ],
    'session_config' => [
        'name' => 'ttatausbl',
        'use_cookies' => true,
        'cookie_httponly' => true,
        'cookie_samesite' => "Strict"
    ],

My composer.json file looks like the below code:

   "require": {
        "php": "^7.3",
        "laminas/laminas-component-installer": "^1.0 || ^2.1",
        "laminas/laminas-development-mode": "^3.2",
        "laminas/laminas-mvc": "^3.1.1",
        "laminas/laminas-captcha": "^2.7",
        "laminas/laminas-recaptcha": "^3.2",
        "laminas/laminas-code": "^2.6",
        "laminas/laminas-serializer": "^2.9",
        "laminas/laminas-cache": "^2.10",
        "laminas/laminas-i18n-resources": "^2.6",
        "psr/http-message": "^1.0",
        "psr/http-factory": "^1.0",
        "san/san-session-toolbar": "^4.0",
        "doctrine/doctrine-orm-module": "^3.1.1",
        "lm-commons/lmc-user": "^3.1",
        "lm-commons/lmc-user-doctrine-orm": "^3.0",
        "lm-commons/lmc-rbac-mvc": "^3.0",
        "doctrine/doctrine-bundle": "^2.2",
        "laminas-commons/lmc-rbac-mvc": "^3.0",
        "gedmo/doctrine-extensions": "^3.0",
        "laminas/laminas-navigation": "^2.10",
        "doctrine/persistence": "^2.1"
    }

Can you check the result of ini_get('session.session.cookie_samesite')?


This makes no sense, because a config provider will not be fetched via the application container and mapping to the factory for session config is also wrong.

Thanks, @froschdesign for your insightful answer. I typed in the wrong class name. I’ve changed it as it is mentioned here but still not working. The output of ini_get(‘session.cookie_samesite’) is empty string.

Application/src/Controller/IndexController.php:31:string ‘’ (length=0)

In the documentation, it is written that I don’t have to even write the code below if I installed it via composer which I wrote it incorrectly in my question and even after correcting it doesn’t work.

        'factories' => [
            'Laminas\Session\Config\ConfigInterface' => 'Laminas\Session\Service\SessionConfigFactory',
        ],

The reason I want to use the configuration which I did for the session is that it is much simpler and it looks like it will save me writing code for the session manager. Thanks!

Hi @froschdesign, it seems I’ve to write the code here after all. I’ve miss understood the wording here. But something has changed. For example, the code written for setting up session Manager has changed and the documentation should change as well I think. The documentation code goes something like below.

use Laminas\Session;

return [
    'session_manager' => [
        'config' => [
            'class' => Session\Config\SessionConfig::class,
            'options' => [
                'name' => 'myapp',
            ],
        ], 
        'storage' => Session\Storage\SessionArrayStorage::class,
        'validators' => [
            Session\Validator\RemoteAddr::class,
            Session\Validator\HttpUserAgent::class,
        ],
    ],
];

If someone copy paste the code like me he/she will encounter the error session_storage key is missing. To solve that a person has to write the below code.

use Laminas\Session;

return [
    'session_manager' => [
       ...
    ],
    'session_storage' => [
        'type' => \Laminas\Session\Storage\SessionArrayStorage::class,
    ],
    'session_config' => [
        'name' => 'ttatausbl',
        'remember_me_seconds' => 60 * 60 * 24 * 30*3,
        'use_cookies' => true,
        'cookie_httponly' => true,
        'cookie_samesite' => "Strict",
    ],
];

But in the end, the problem in the picture I share above still persists. But the result for ini_get(‘session.cookie_samesite’) is finally “Strict”. Thanks!

Okay, that explains it. (I was already totally confused.)

You are right, the related documentation is outdated, wrong and also ugly.

Here is a newer explanation:

Thanks for the answer @froschdesign. Last but not least how do I use ReflectionBasedController with my controller factories?

'controllers' => [
    'factories' => [
        // Add this line
        Controller\AlbumController::class => ReflectionBasedAbstractFactory::class,
        // How do I change the below line into a ReflectionBasedAbstractFactory?
        MyModule\Controller\IndexContorller::class => MyModule\Factories\MyFactoryController::class,
    ],
],
namespace MyModule\Factories;

use Interop\Container\ContainerInterface;
use Laminas\ServiceManager\Factory\FactoryInterface;

class MyFactoryController extends FactoryIterface{
   public function __invoke(ContainerInterface $container, $requestedName, array $options = null){
      // My other services calls
   }
}

Also do let me know if the code needs to be changed in the documentation. I’ll change it. Thanks!

I understand now, my answer lies in the reflection-based factory. I’ll try to play with that. Thanks!

The factory class can be omitted completely!

'controllers' => [
    'factories' => [
        MyModule\Controller\IndexController::class => Laminas\ServiceManager\AbstractFactory\ReflectionBasedAbstractFactory::class,
    ],
],

If you have further questions about this topic, please create a new thread. This will also help others to better find questions and answers.
Thanks! :+1:t2: