CB login / CB connect without cookies

Hi Kyle
Following my devs and posts  www.joomlapolis.com/forum/developer-members-support/245744-cb-connection-from-a-link-with-query and  www.joomlapolis.com/forum/developer-members-support/245731-cb-login-authentication-token I was able to make a nice widget to be displayed on outside websites.

This is working fine except that on Safari and Chrome which blocks external cookies, it's impossible for our users to log in to our website and get no limitations to their questions. See for instance  ma-revelation.fr/ with the CB button.

Is it possible with CB Login or CB connect or an autoaction to have a login behavior without cookies for our users. I mean that they would enter their id/password, be recognized and sent back to the iframe with an authorization token or something like this. I need something without cookies.

For now only Firefox would allow log in.

I know that Joomla uses cookies to maintain the user session but I need only a confirmation back to allow the user to continue using the same page on the iframe.

Can I have your thoughts about this ? is it feasible with Community Builder ?

Thanks a lot 

That's probably due to the below change in Chrome awhile back (a good change!).

chromestatus.com/feature/5088147346030592

You'd need to set a cookie with Same-Site option set to None to allow it to work in an iframe outside its origin. You might be able to just modify the existing Joomla session cookie and set its Same-Site, which by default is empty (not the same as None).

Do you know where I can change this setting ?
Do I have to modifiy core joomla files because it's not in the config settings ?

Do you know where I can change this setting ?

I don't think Joomla offers a setting to change this, but I could be wrong. My guess is it would be somewhere in Joomla's global configuration. Most likely it doesn't though and you'd need to modify the cookie yourself using PHP.

Do I have to modifiy core joomla files because it's not in the config settings 

Probably, or edit the cookie from PHP after it has already been set. To do that you get the cookie, set your new values, then create the cookie again. Looks like there was a big discussion on adding a SameSite param that ultimately didn't go anywhere. Some suggestions for things to try there though. Link below.

github.com/joomla/joomla-cms/pull/25414
github.com/joomla/joomla-cms/issues/32147

Looks like latest suggestion is a Joomla plugin to do it. Sorry, never needed to do this so nothing more I can suggest, but this is the route you need to take. There is no workaround to this.

Yep I tried a very simple : ini_set('session.cookie_samesite', 'None');
but it does not work as it seems like joomla 4 has its own way to set cookies with joomla_user_state and no longer session.

I was wondering if a code autoaction just after the login would be enough ? Joomla should take this into account as it may be an issue in the future

I was wondering if a code autoaction just after the login would be enough ?

Sessions are established as soon as the user visits the site. If Joomla has an event for when a session is created that'd be most ideal. I'm unsure if it does though.

Joomla should take this into account as it may be an issue in the future

I agree and there were many discussions on the lack of control over the session cookie. Not much I can really suggest though as this is out of CBs hands. Worst case scenario you'll have to modify Joomla to suit your needs. Looks like login cookie at least is done in the Joomla core user plugin below.

/plugins/user/joomla/joomla.php

Specifically on onUserLogin Joomla event. So it should be extendable from CB either after CBs login event or Joomlas using joomla_onUserLogin. You should see it setting the joomla_user_state cookie at the bottom. Not sure if that's the relevant cookie though. Sorry, this isn't something we can really help you with. Suggest posting to Joomla's forums as others may have already implemented solutions for adjusting Joomla's session cookie.