XF 2.1 SameSites


I am on XF 2.1 and recently just updated to 2.1.11 I was developing an Iframe to display another website. Everything went okay until website I was using Iframe on displayed an error "The CSRF token is invalid. Please try to resubmit the form." After tons of research, I learned that this is caused by Iframe's requests was not sending cookies. Look into deeply and it's caused by SameSites default to Lax for chromes. This is where the root of the issue, how would I set SameSites to none for XF 2.1? So, that I may have my Iframe website working correctly. Would there be any issues in doing so? I read up by changing it, it would cause some security issues.

Thank you.
Last edited:


XenForo developer
Staff member
2.1 doesn't really have any concept of SameSite cookie options. 2.2 does start adding some support for it, though it does depend on PHP 7.3 (as that's when their cookie API exposes them). However, this generally isn't something that is exposed in a user editable way -- it'd normally be a developer decision, so it'd likely require code modifications (though it's possible an add-on might be able to modify how cookies are set a low level).
Firstly thank you for your time. Also, the only add-on that was available from another site that I had found it was made for XF 1.5, most of the guide that was discussed in it can be applied to 2.1 but the very last part of it to edit page_container_js_body sadly you can't do that in 2.1 because that been changed to what I believe to be Page_Container can't find page_container_js_body to then edit _cookieConfig. I wasn't able to find any guide or addons from Xenforo. I have PHP 7.4.10 and set session.cookie_samesite="None" then restart PHP it didn't fix the issue at all. Do you have any other idea or know of a quick method to resolve this? Thank you.