Session not being saved anymore after latest update

Hey there,

after the latest FiveM update it seems like calling < iframe > website through a script no longer saves the session ID with the issue of trying to access a data terminal (website) through the game not working anymore.

This issue first popped up only on canary around 4-5 days ago and then completely after 2 days.

This is surely some recent update that occured to the client itself as it was happening only in canary first and then to the main release also.

This issue does pop up in all 10 peeps who are using this terminal (Just note that every single one of them are hosting this by themselves, so it would be impossible for all of them to actually change code and break for everyone )

Lastly, it does work if you hop into it from a normal browser such as chrome, firefox but not from in-game (gets stuck in the login as session is not being saved or something)

Here’s the code in PHP for the login, maybe this can give you a better idea:

<!doctype html>
<html lang="en">
    <head>

        <!--Metas for page.-->
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
        <meta name="description" content="">
        <meta name="author" content="">

        <!--The links for css, icons and fonts.-->
        <link rel="icon" href="files/img/lspd.png">
        <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
        <link href="https://fonts.googleapis.com/css2?family=Montserrat:ital,wght@0,100;0,400;0,600;0,900;1,100;1,400;1,600;1,900&display=swap" rel="stylesheet">
        <link href="files/css/main.css" rel="stylesheet">
        <link href="files/css/extras.css" rel="stylesheet">

        <!--JavaScript.-->
        <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script>
        <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>
        <script src="files/js/main.js"></script>


        <!--Title of page.-->
        <title>Data Terminal - Login</title>


    </head>
    <body>
        <nav class="navbar fixed-top navbar-expand-lg navbar-custom bg-custom">
            <div class="collapse navbar-collapse" id="navbarsExampleDefault">

                <!-- Left menu -->
                <ul class="navbar-nav mr-auto">
                    <li class="nav-item">
                        <a class="nav-label" href="#">
                            
                            <img src="files/img/lspd.png" width="75" height="24" alt="LSPD IMAGE">

                            <span class="title">Session ID: #<?php
                                                                        function generateRandomString($length = 5) { //Simple function that takes a random string for the Session ID.
                                                                        $characters = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ';
                                                                        $charactersLength = strlen($characters);
                                                                        $randomString = '';
                                                                        for ($i = 0; $i < $length; $i++) {
                                                                            $randomString .= $characters[rand(0, $charactersLength - 1)];
                                                                        }
                                                                        return $randomString;
                                                                    };
                                                                    echo generateRandomString();
                                                                    ?>
                            </span>

                        </a>
                    </li>
                </ul>
            </div>
        </nav>

        <main role="main" class="container">
            <div class="login-container">
                <div class="login-content">
                    <h4><strong>LSPD Data Terminal</strong></h4><br>

                    <?php if (isset($_GET['wrongcredentials'])) { ?>
                    <p><strong>Credentials do not meet our records</strong></p> <!--Shows up an error if the page is set to wrongcredentials-->
                    <?php }?>

                    <form method="post">
                        <div class="input-group mb-3">
                            <input type="text" name="username" class="form-contrl lgin-user" value="" placeholder="Username / Email">
                        </div>
                        <div class="input-group mb-2">
                            <input type="password" name="password" class="form-contrl lgin-pass" value="" autocomplete="new-password" placeholder="Password">
                        </div>
                        <div class="form-group">
                            <button type="submit" name="login" class="btn btn-primary btn-login submit-btn">Log in</button>
                        </div>
                    </form>

                </div>
            </div>
        </main>
    </body>
</html>

<?php // This php code is used for the main login screen, 

    require "database.php"; // Requires first the database connection

    if ($_SERVER['REQUEST_METHOD'] == "POST") 
    {
        if (trim($_POST['username']) == NULL) 
        {
            Header("Location:login?wrongcredentials");//Wrong Crendentials
        }
        if (trim($_POST['password']) == NULL) 
        {
            Header("Location:login?wrongcredentials"); //Wrong Crendentials
        }        

        $query = $con->query(
            "SELECT * FROM accounts WHERE username = '".$con->real_escape_string($_POST['username'])."'"  //Query to fetch accounts
        );

        if ($query->num_rows == 1) 
        {
            $row = $query->fetch_assoc();
            if (password_verify($_POST['password'],$row['password'])) 
            {

                $_SESSION['loggedin'] = true;
                $_SESSION['username'] = $_POST['username'];
                $_SESSION['role'] = $row['role'];
                $_SESSION['name'] = $row['name'];
                $_SESSION['rank'] = $row['rank'];
                $_SESSION['id'] = $row['id'];
                $_SESSION["personid"] = NULL;
                $_SESSION["reportid"] = NULL;
                

                $con->query(
                    "UPDATE accounts SET seen = '".date('Y-m-d')."' WHERE id = '".$row['id']."'" //Updates the last time seen.
                );
                
                if ($_SERVER['HTTP_REFFER'] != "") {
                    header("Location: home"); //Referrer method goes here.
                } else {
                    Header("Location: home"); //Logs you in.
                }
                
            } else 
            {
                Header("Location: login?wrongcredentials"); //Wrong Credentials
            }
        } else 
        {
            Header("Location: login?wrongcredentials"); //Wrong Credentials
        }
    }
?> 

Thanks for reading,
i am more than happy to help by providing more info but can’t think of anything that would be helpful at the moment rather than just the $_SESSION code as there is where it does the trick.

Best Regards,
Cisoko

It might be something changed around Chrome’s enforcement of third-party cookie policy - do you have any easier test case that doesn’t depend on some third-party assets to set a cookie + a wrapper page?

Also, are you using the cerulean manifest version which moves to https://cfx-nui- and not nui://? It might be nui:// is entirely broken in newer Chrome for cookie origins, as Google has been slowly phasing out non-http/https schemes’ ability to use cookies (e.g. previously we could use CefCookieManager::SetSupportedSchemes, but this call no longer exists).

Ah, I see: this is replaced with a cookieable_schemes_list in browser initialization.

This’ll hopefully be fixed as part of an out-of-band update later today.

Also…

Please try reporting issues the moment you notice them occurring.

Hey again,

really thanks for the quick response. I did test now, with both fx versions (cerulean and bodacious). It doesn’t really change anything. Only thing i do get is this here:

dataTerminal1923×62 70.8 KB

We are not using any sort of SSL verification and it is loaded as a HTTP and not HTTPS site (Only happens with cerulean)

(Honestly i think i should start reading a bit more on FiveM docs from you guys as i didn’t even know about the fx versions.)

So my question, are we now waiting on an update from Chrome or FiveM? A bit confused, sorry.

Also here’s how we are loading it through HTML. It’s pretty much the iframe code, the rest is just like photos for frames to look good in-game.

<html>
    <head>
        <title></title>
        <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO" crossorigin="anonymous">
        <script src="https://code.jquery.com/jquery-1.12.4.js"></script>
    </head>
    <body style="background:rgb(0,0,0,0.0)">
	
        <div id="tablet">
            <div class="tablet-container">
                <div class="tablet-bg" style="display:none; background: #000000; position: absolute; margin: 0 auto; left:0; right: 0; top: 9.2vh; width:74vw;height:75vh;"></div>
                <iframe src="http://localhost/policeDataTerminal/login" name="tablet" frameborder="0" style="display:none; position: absolute; margin: 0 auto; left:0; right: 0; top: 9.7vh; width:74vw;height:76.5vh;"></iframe>
                <img src="img/tablet-frame.png" alt="tablet" class="tablet-frame" style="display:none; pointer-events: none; position: absolute; margin: 0 auto; left:0; right: 0; top: 3.9vh; width:83.2vw;height:85vh;" />
            </div>
        </div>
		
        <div id="computer">
            <div class="computer-container">
                <div class="computer-bg" style="display:none; background: #000000; position: absolute; margin: 0 auto; left:0; right: 0; top: 12vh; width:79vw;height:70vh;"></div>
                <iframe src="http://localhost/policeDataTerminal/login" name="computer" frameborder="0" style="display:none; position: absolute; margin: 0 auto; left:0; right: 0; top: 12vh; width:79vw;height:70vh;"></iframe>
                <img src="img/computer-frame.png" alt="computer" class="computer-frame" style="display:none; pointer-events: none; position: absolute; margin: 0 auto; left:0; right: 0; top: 10.5vh; width:80vw;height:89vh;" />
            </div>
        </div>		
		
        <div id="laptop">
            <div class="laptop-container">
                <div class="laptop-bg" style="display:none; background: #000000; position: absolute; margin: 0 auto; left:0; right: 0; top: 11vh; width:75vw;height:67.5vh;"></div>
                <iframe src="http://localhost/policeDataTerminal/login" name="laptop" frameborder="0" style="display:none; position: absolute; margin: 0 auto; left:0; right: 0; top: 11vh; width:75vw;height:67.5vh;"></iframe>
                <img src="img/laptop-frame.png" alt="laptop" class="laptop-frame" style="display:none; pointer-events: none; position: absolute; margin: 0 auto; left:0; right: 0; top: 6.5vh; width:97vw;height:89vh;" />
            </div>
        </div>	
		
        <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js" integrity="sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49" crossorigin="anonymous"></script>
        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js" integrity="sha384-ChfqqxuZUCnJSK3+MXmPNIyE6ZbWh2IMqE241rYiqJxyMiZ6OW/JmZQ5stwEULTy" crossorigin="anonymous"></script>
        <script src="js/script.js"></script>
    </body>
</html>

Looking forward on hearing from you again!

Best Regards,
Cisoko

Yeah, this mode requires any requests to be https://resourcename and not just http://resourcename.

Next canary update should include the change fixing this - I guess the TODO comment was forgotten as it was assumed the call wasn’t needed anymore instead of being moved.

Hey there,

thanks for the information and the update.

One last question i do have is; Where could i check for canary updates? Like patch notes, or are they only available on github?

Best Regards,
Cisoko

Hey there again,

sorry for a being a bit of an ass and again replying but i did see the changelogs on the FiveM client and i suppose the update is already live?

Still we are getting the same issue, so here’s what i tried after seeing the update:

1. Tried switching from canary to release and vise versa
2. Updated server artifacts
3. Tried both bodacious and cerulean options
4. Reinstalled FiveM just in case the update didn’t occur on my client

Umm, so yeah, that’s pretty much it what i’ve tried as i supposed the changelogs provided went live on the Release client.

Looking forward hearing from you again!

Best Regards,
Cisoko

Hey guys, any update in regards to this?

yeah i wanted to ear some news too…alot of ppl waiting for this fix

You need to have cookies with SameSite None to work in iframe

They are multiple ways to fix this
I fixed this by adding the following in apache configuration

Header always edit Set-Cookie (.*) “$1;HTTPOnly;Secure;SameSite=none”

But can also be fixed in your php application

EDIT: works only for localhost.

Hey there,

thanks a lot for bringing light into this. Managed to fix this now with your way. Actually i did some research and found multiple ways so for anyone who needs help on this make sure you check here: StackOverFlow

I used the .htaccess method. So pretty much added this line in .htaccess file:

Header edit Set-Cookie ^(.*)$ “$1;HttpOnly;Secure;SameSite=none”

Anyways, thanks again for being helpful. Saved me a lot of time as it was a chrome update as it seems so.

Have a nice day, if you ever need any support with coding, feel free to hit me up.

Best Regards,
Cisoko

Hey, thanks for that. I’m guessing that it needs SSL?

I’m hosting this with my dedi server from OVH via xampp.

Hello, for me anything didn’t fix it… Do I need like SSL Certificate or something configured? I’m using Ubuntu and apache2.

Hey there,

It stills seems like that the issue persists if you don’t use localhost.

Honestly I can’t really understand what the issue could be as the Chrome updates occured on August last year. This issue started when fivem did some updates and they only popped on canary for 2 days and then on the release.

I did all the changes needed to my website code wise with making third party cookies accessible (Changing SameSite from Lax to None) but no luck at all. The only fix was through localhost but you can’t have that as people need to open a proper website.

The real question for me now is what browser does HTML open when we call < iframee > through FiveM.

As I’ve read you could even fix this only on your end by disabling the safety feature of chrome by enabling third party cookies but i really don’t know how you can do that in FiveM.

Exactly. We were running a Chrome version from April 2020 until recently.

The underlying issue making cookies not work for nui:// scheme was fixed, and any further discussion is off topic for this section.