By mcdruid on
Change record status: 
Published (View all published change records)
Project: 
Drupal core
Introduced in branch: 
7.x
Introduced in version: 
7.79
Issue links: 
https://www.drupal.org/node/3170525
Description: 

Drupal 7 now supports the SameSite attribute on cookies. Drupal core uses this new functionality for its session cookies.

PHP introduced native support for the SameSite cookie attribute in PHP 7.3 so Drupal emulates this functionality for earlier PHP versions.

If you are using an earlier version of PHP than 7.3, Drupal will provide a default value of "None" for the SameSite attribute only if the cookie will also have the Secure attribute set, in accordance with the (proposed) specifications.

The order of precedence followed when deciding whether to set a SameSite attribute - and if so what value should be used - is documented in the new _drupal_samesite_cookie() function:

https://git.drupalcode.org/project/drupal/-/commit/7ba88d9d4f2d38f563c3f...

/**
 * Determine the value for the samesite cookie attribute, in the following order
 * of precedence:
 *
 * 1) A value explicitly passed to drupal_setcookie()
 * 2) A value set in $conf['samesite_cookie_value']
 * 3) The setting from php ini
 * 4) The default of None, or FALSE (no attribute) if the cookie is not Secure

Sites can provide their own value for this attribute by setting the samesite_cookie_value variable in settings.php (this applies to all PHP versions):

/**
 * SameSite cookie attribute.
 *
 * This variable can be used to set a value for the SameSite cookie attribute.
 *
 * Versions of PHP before 7.3 have no native support for the SameSite attribute
 * so it is emulated.
 *
 * The session.cookie-samesite setting in PHP 7.3 and later will be overridden
 * by this variable for Drupal session cookies, and any other cookies managed
 * with drupal_setcookie().
 *
 * Setting this variable to FALSE disables the SameSite attribute on cookies.
 *
 * @see drupal_setcookie()
 * @see drupal_session_start()
 * @see https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite
 */
#$conf['samesite_cookie_value'] = 'None';

For PHP 7.3 and later, session.cookie-samesite can be used in your PHP configuration.

https://web.dev/samesite-cookies-explained/ provides a thorough explanation of the SameSite attribute and relevant changes in browser behaviour.

Impacts: 
Site builders, administrators, editors

Comments

damienmckenna’s picture

damienmckenna
Location TN, USA
commented

Also, make sure the site does not have this:

$conf['https'] = TRUE;

That results in two SetCookie values in the HTTP response and one of them breaks Chrome in subtle ways.

--
Damien McKenna | Mediacurrent

daniel.moberly’s picture

daniel.moberly commented

For anyone having issues with customer checkout in ecommerce (users unable to checkout) - this is the solution.

nullkernel’s picture

nullkernel commented

I've created a contrib module ("SameSite Cookie") to allow administrators to manage SameSite cookie settings by using Drupal's Admin UI. This lets administrators choose "None", "Lax", "Strict", or no attribute. It also allows administrators to enable a workaround for some legacy browsers. Some older versions of Chrome, Safari, and UCBrowser reject/mishandle cookies that have a SameSite=None attribute. The workaround (if enabled) makes Drupal avoid sending SameSite=None for these legacy browsers.

ptmkenny’s picture

ptmkenny commented

This issue is tracking SameSite support for Drupal 9.