I have a WordPress website which I want to embed in an iframe. As part of this, there is restricted content that redirects you to a login form if they are not logged into their account on my WordPress website.
This didn't use to be a problem. However, now on Chrome if I try and login through an iframe, the credentials are accepted but the authentication cookies don't appear to be set and so I just end up back at the login form (whereas on a regular Chrome tab it works and I can access the restricted content).
I believe this is because the WordPress authentication cookie itself is missing the SameSite=None attribute which means Chrome is seeing it as a 3rd party cookie and is therefore blocking it as mentioned here https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
However, unfortunately I can't seem to find a way of being able to set these properties onto my authentication cookies.
Steps I have tried so far:
- Installing this WordPress Plugin https://wordpress.org/plugins/samesite/ and following the instructions
- Updating my PHP.ini settings with
session.cookie_secure = 1; session.cookie_httponly = 1; session.cookie_samesite = "None";These settings were then confirmed to be on when using phpinfo(); but didn't seem to make a difference.
Is there anything else I can try or any obvious flaws with the two approaches I have tried so far?
If not, then is there an alternative way that I could manage logins that then wouldn't require cookies?