Hi All…
Desperately looking for some help. Have spent countless hours trying to find a solution and have not been able to. I have read probably every similar report, plus multiple other sources to try and find a solution.
This includes reviewing the Symfony documentation as well, and which is where I believe the issue possibly lies. Framework Configuration Reference (FrameworkBundle) (Symfony 5.x Docs)
I am upgrading from Suite7 to Suite 8.
In Suite 7, this was working.
I am embedding SuiteCRM URL as an iframe in a remote web page so that users have access to crm data from a single page.
When I do this in Suite7 it is working, but with Suite8, the browser complains about XSRF-TOKEN being blocked due to the cookie set as Lax, but I have set pretty much every reference I can find to "none.
According to the Symfony documentation when using PHP samesite cookie settings, the value should be set to Null, which I modified in the respective /config/packages/framework + nelmio yaml files.
This does not seem to affect anything.
I have also tried setting them to none with no changed.
I also followed the Session Directory guide and created a custom directory in extensions, following the example on the site for directory path and set the framework.yaml to alos be none or null based on the respective test.
No luck.
I then created and added an info.php file and placed it in my directory, and was able to successfully connect to while embedded in the iframe, so I feel confident that apache is not impacting this.
I suspect that the issue is likely buried somewhere in a symfony setting, or the version of Symfony (which is outdated) has a bug and it is not properly respecting the SameSite= None setting.
I took a snapshot of the server and then tried to do a symfony update including the available packages but on the plus side the page started being displayed in the iframe… unfortunately though it was pretty much there to tell me that the page was broken with missing config files etc.
When I looked at the composer.json, it also referenced that PHP7.4 was required (I believe for Symfony) but Suite8 required 8+.
As a side note, when I connect directly to SuiteCRM8, using the browser developer tools, there are multiple references to same site attribute settings being set to Lax for “ck_login” but because it is a same as origin it’s being allowed.
Apache has a header setting for samesite = none and I have verified that it is being correctly set. PHPSSEID is also setting the samesite=none…
But there are still references to samesite=lax both direct and via iframe.
My environment is Ubuntu 22.04, Apache2, PHP (both 7.4 and 8.2 are installed but Apache is configure to use 8.2). SuiteCRM is 8.5.1 (latest).
If there are any suggestions, please I am all ears. I have been working on this since early last week and I need to get it resolved. Hopefully the image works… Thanks