WampServer

Hit a bit of a problem I can't seem to solve or find a answer through googling or trawling through the trouble shooting guide/ forum topics.

I hope it's just something simple that I am just missing it!

I have been running Wampserver for few years as a local host while I develop my php skills to write a php website using dreamweaver (I class myself as a newbie always willing to learn). I Have been doing it piecemeal for about 2 years and Wamp has been great as a local host. Things were going great when I last worked at it in April this year and then for various reason had to stop.

I picked up the project again about two weeks ago and suddenly found when i opened my development site in Chrome, Edge, and Opera it would not work properly. But it worked OK in Firefox and the old internet explorer.


Looking at the DevTools 'Issues' I could see they first three had issues with the php session cookies - a samesite / secure issue.
'
'Indicate whether a cookie is intended to be set in a cross-site context by specifying its SameSite attribute

Because a cookie's SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being set in a cross-site context. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.

Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests'

Firefox and internet explorer were happy not to have samesite undefined and not secure.

Looking in the tmp folder I could see the cookies were being produced (or at least they were going into the tmp folder) but were just not being retained and were being blocked by Chrome, Edge and Opera.


I did a bit of googling and dived into the php.ini file (the correct one) and started playing with values in :

session.cookie_secure

and

session.cookie_samesite


I found that I could change the cookie properties that Firefox was seeing to secure by just changing

session.cookie_secure to 1 or On

I thought I had solved it, HOWEVER in Chrome, Edge and Opera the session cookie was still not being saved, it was being produced as they were still appearing in the tmp folder but were not visible in the local host cookies in the application section of the DevTools. WORSE in a way was that there are NO issues being flagged. The cookies are just not being retained / kept / made.

I understand from reading that Browser have increased their security round samesite cookies since April and I must have missed something or constructed my site so it has become an issue. I can't seem to find any reference to anybody else having this issue!

I have tinkered with various other settings in php.ini . including setting 'session.cookie_samesite = "None", to no avail, I have upgraded my WampServer to 3.2.3 (big mistake as though I backed up the website I forgot about the tables in the MSQL database and lost them and had to reconstruct them!) and tried various php version from 7.2.33 to 7.3.21 to 7.4.9 with no success

I was hoping someone could give me a pointer /link on where to look for a solution as I am getting a bit frustrated ?

Hi,

Quite an essay.

Sorry but can we start with a bit of background.

1. Are your browsers up to date?
2. What versions of Apache/PHP were you using in April before you started having these problems.
3. Can you answer these questions based upon what you currenty have installed READ (and answer) BEFORE YOU ASK A QUESTION

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

Sorry,
1 - Chrome, Edge and Opera browsers say they are up to date
2 – Don’t know what apache version I was using in April. I lost that information when I uninstalled the old WampServer to update to the new one. The php version was 7.2 something with an option of 7.3 something I recall. 7.2.X was selected but I realised I had to upgrade . This did not help when I amended php.ini



Computer is a 2015 Apple MacBook Pro running windows in a partition

1 - Microsoft Windows 10 Home
Version 10.0.19041 Build 19041(Windows 10 Version 2004 for x64-based Systems (KB4592438) is pending installation today)
System Type x64-based PC
2 – WampServer version – 3.2.3
3 – Apache Version – 2.4.46
4 – PHP Version – 7.4.9
5 – MySQL Version – 5.7.31
5a – MariaDB Version – 10.4.13
6 – WampServer Icon is GREEN
7 – Active lines in DriverS\etc\hosts :
127.0.0.1 localhost
::1 localhost
8 – No. Homepage in www folder seems to have been replaced with my index page,
8a – cannot see Homepage WampServer
9 – Yes
10 – 2 Error / Issue message in Chrome, Edge and Opera Browsers DevTools. These issues do not appear when ‘session.cookie_secure ‘ is set to 1 or On in php.ini but cookies do not appear to be there.
Issue 1
‘Indicate whether a cookie is intended to be set in a cross-site context by specifying its SameSite attribute’
Because a cookie's SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being set in a cross-site context. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.
Resolve this issue by updating the attributes of the cookie:
 Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
 Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests
2. AFFECTED RESOURCES
1. 1 cookie
1.
Name Domain & Path
PHPSESSID localhost/

Issue 2
Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute
1. Because a cookie's SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.
Resolve this issue by updating the attributes of the cookie:
 Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use.
 Specify SameSite=Strict or SameSite=Lax if the cookie should not be sent in cross-site requests
2. AFFECTED RESOURCES
1. 1 cookie
1.
Name Domain & Path
PHPSESSID localhost/


11 – Only using standard Windows security for virus, firewall (defender) protection.
12 - WampServer Installation path : C:\wamp64
13 – No virtual hosts that I am aware off (not actually sure what they are, how to set up or look if I have any)

Hi

Thanks.

First things is that you should not put your code in the \wamp64\www folder. That folder contains some useful bits and pieces. You should mput your website code either in a subfolder of the www folder or some completely other colder on disk, and use a Virtual Host to point to it, whereever you put it.

See The Need for Virtual Hosts

I have never had issues like this and it strikes me it must either be something to do with Mods you have made to the php.ini file or something rather odd about your windows config. Did you make any changes to the php or apache configs at all?

Alternatively it is something that the website you are using is doing. Did you write the code for this website or is it a downloaded framework or CMS like WOrdPress or some other similiar?

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

Hi,

RiggsFolly wrote:
"First things is that you should not put your code in the \wamp64\www folder."

The folder wamp64\wwww\ is reserved for localhost and must not be modified and especially not the index.php file.
You can put other folders there for your sites, but with VirtualHost, your sites can be anywhere on your disk.

To put back the original folders and files, run the Wampserver 3.2.4 update.

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Hi
I am not sure how my index page actually got into the www folder. Its not actually one that is 'live'. That sits in the site subfolder. All the sites using the local host sit in the as subfolders in the www.

I can't actually recall deleting anything in the www folder, just pasted my sub folders in from the location I had stored them in.

Is there a link to the files that should be in there or is the best way just to re-install Wampserver?

Looks like I need to set up virtual hosts. All I can say is that all appeared well without them up to April and is still the case for Firefox.

The changes made to the php. ini file were quite limited and I made copies of them prior to change and was able to reverse them in testing. Again the changes worked in Firefox and when reversed gave the original error messages in the other browsers. The cookies were stored from all browsers in the tmp folder, the browsers were just not storing them.

It may well be something to do with the windows set up though I have not done anything to the standard configuration that I recall, certainly not since April., I'll have to try it from the MAC side and see what happens.

The php for the website is home grown, though some parts are cut and paste from solutions to issues I found online. There are no session destroy , unset session or write close commands. It would not be the bounds of belief that something is written in it that worked in April but with browser and window updates since then have exposed some critical error.

I'll have to if a simple page keeps in a new site has the same result.

I do see the issue as something I must have done in ignorance that's come back to bit and will just have to track it down.

But to be clear in theory if there were no other issues :

1 - I should be using a virtual host regardless of where the folders are

2 - from the original samesite issue messages , the solution should have been just to , in the correct php.ini file, I should delete the semi colon at the start of the line to make it readable and change the 'session.cookie_secure' to 1 or should I not amend this at all ?

3 - Leave the 'session.cookie_samesite =' as it is ?

Hi. Ran the update to restore the wampserver homepage.

After opening the website with issues there are no error messages on the bottom of the homepage.

Also under the heading 'Virtual Hosts' 'localhost' is listed

1. Yes, for lost of reasons
2. Not sure why anything needs changing. The I dont know what your site is doing
3. I do

Small Point: The Cookies and Sessions are not the same thing at all. It is the session files that you see in the wamp64/tmp folder.
Cookies are only transmitted about by the browser between client and server. They are not stored on the server file system

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

Hi,

> in the correct php.ini file,
It is Left-Click -> PHP -> php.ini
that correspond to wamp64\bin\apache\apache2.4.46a\bin\php.ini that is a symbolic link to the file phpForApache.ini of PHP version used.

Removing the semicolon at the beginning of a directive means that it will be taken into account.

For the modifications of this file to be taken into account you must either restart Wampserver or Right-Click -> Refresh.

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Hi,

See [www.php.net] and particularly:
secure

Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to true, the cookie will only be set if a secure connection exists. On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"]).

See also [www.php.net]

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

I understand that Cookies and sessions are not the same , I am storing some session arrays and variables which go in the tmp folder as session files, the client just needed to keep track of the session number and i think that's done by the session cookie client side

In my configuration without making any changes to the php.ini file Chrome, Edge and Opera all seem to want to block the session cookie because, as I understand it, they see the samesite value of the session cookie as 'none' and therefore want the session cookie secure as 1 as opposed to the default value.

Without the session cookie being retained client side its losing the reference to the server side and the stored data.

I am purely using Wampserver as a testing server and the code is in dreamweaver, I haven't tried it on a live server, though I do have the ability through Godaddy who host some HTML based sites I have. If you are not making any changes to your php.ini file then It looks like there must be something in the browser settings for Chrome, Opera and Edge on my machine , or windows set up, I do have them set to 'accept all cookies' in the browser settings.

Back to square 1

I am a little intrigued.

As it sounds like you are only using the localhost i dont get the cross site issue.

Would you share some of the code, the cookie code specifically that exsists in your scripts?

Or are you saying that the only cookie you are aware of is the PHPSESSID cookie that PHP itself uses?

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

Also, if you have to change things in the php.ini to get them running on WAMPServer, there is the possibility that you WILL NOT be allowed to make those same changes when you come to move this code to a LIVE hosted server.

So the danger here is you are storing up a probelm that will really bit you in the but later

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

Hum
At the moment i was only assuming that the issue was with the local host, I will have to cobble something on the live server and see what happens with a test site.

I haven't got any cookies in the code, i was trying to get away from them and use global and session variables. The only cookie code was that in the php.ini which is why i was tinkering there.

I do recall one of the browser flagging an issue with a cookie that was related to the 'godaddy goldseal' or something but didn't take much notice of it as it was not Chrome, might have been Edge or Opera. I think that was a bit of code i threw in because if the site goes live it will be HTTPS on godaddy and its their verification mark

I will have a look at stuff again tomorrow.

I will update the tread if I find anything one way or the other

By the way - does what you say mean my virtual host already exists as 'localhost?

Yes, if you look at the httpd-vhosts.conf (menu link) you will see that even localhost is defined as a VH

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

Hi
Thought I would let you know that I up loaded the development site on to a live hosted server (through Godaddy) to quickly test it there. It appears to retain the session cookie in Chrome at least.

I need to upload MySQL database tables into the live server MYSQL database through phpMyAdmin to fully test it (have to see how I can do that from the phpMyAdmin in my Wampserver).

It seems at the moment the error i was getting in Chrome not retaining the session cookie using Wampserver as a local host is not replicated when its on a live server. Seems a bit strange.

When I look in DevTools - Application - cookies for the live server I see the browser has the no value in the 'samesite' column nor in the 'secure' column. Godaddy has created a few cookies, some of have 'none' values and these are all ticked 'secure' as well

I'll look to see how to transfer the databases over and test a bit more and let you know what happens

Hi
Just to let you know that the same code on the Godaddy live server works OK with no issues with cookies.

Looking in phpmyadminon the live server its running 7.3.6


It was useful in another way in that it flagged up a couple of case- sensitive issues in a couple of php files that Wampserver was OK with (it was me using a 'include' statement with a capital letter at the start of the php file to include, but the php files themselves had all lowercase letters

I don't really know why Chrome, Edge and Opera when loading the the site with Wampserver as a local host has suddenly decided that the session cookie is an issue and won't allow it while the live servers are OK with it

Hi

The case sensitive thing is a well known issue when moving code from Windows(which is case insensitive) to Linux(which is case sensitive). Its just one of those things that a developer that uses both environments has to remember and pick a standard for. I use all lower to avoid the issue

As you are the only person reporting this issue, and we dont have enough information to work out how to configure one of our systems to imitate this probelm I am afraid I am running very short of useful ideas at this point.

It does however worry me when you report information to us that is so obviously incorrect, you say your server is using a version of phpMyAdmin that does not exist, the latest version veing `phpMyAdmin 5.0.4` I assume you mean to say that the server is using PHP7.3.6

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-



Edited 3 time(s). Last edit at 12/14/2020 02:30PM by RiggsFolly.

sorry, need to read back what I type

Yes Godaddy web server php version was 7.3.6, the version of phpMyAdmin was 4.9.4 in my case

Yes If I am the only person reporting it it suggests it may be to do with something my computer set up or my lack of knowledge. I'll just view it using Firefox for the moment which appears to work fine and upload to a web server to test the other browsers