By anagomes on
Change record status: 
Published (View all published change records)
Project: 
Drupal core
Introduced in branch: 
10.1.x
Introduced in version: 
10.1.0
Issue links: 
https://www.drupal.org/node/3150614
Description: 

This SameSite value is now configurable in services.yml.

Follow this procedure to change the default from Lax to Strict or None:

  1. Change into the sites directory (E.g., sites/default)
  2. If services.yml doesn't exist already, copy default.services.yml to services.yml
  3. Modify services.yml. Navigate to the parameters: section, then the session.storage.options: subsection, and set the cookie_samesite parameter to the desired value.

Also see default.services.yml for instructions:

parameters:
  session.storage.options:
    # Set the SameSite cookie attribute: 'None', 'Lax', or 'Strict'. If set,
    # this value will override the server value. See
    # https://www.php.net/manual/en/session.security.ini.php for more
    # information.
    # @default no value
    cookie_samesite: Lax
Impacts: 
Site builders, administrators, editors

Comments

selinav’s picture

selinav commented

I've added 'cookie_samesite: Lax' in : parameters:session.storage.options of the service.yml but the warning message is still present in admin/reports/status#warning.

What is wrong ?

robcarr’s picture

robcarr
Primary language English
Location Perthshire, Scotland
commented

I've done the same and still have warning message. Not sure if the current session needs to end for the warning to go away. I tried deleting the domain+session cookies but made no difference

larruda’s picture

larruda commented

Same behavior, settings applied, message remains. Please clarify.

murrow’s picture

murrow commented

In web/core/modules/system/system.install at line 1315:

  // Check if the SameSite cookie attribute is set to a valid value. Since this
  // involves checking whether we are using a secure connection this only makes
  // sense inside an HTTP request, not on the command line.
  if ($phase === 'runtime' && PHP_SAPI !== 'cli') {
    $samesite = ini_get('session.cookie_samesite') ?: t('Not set');
    // Check if the SameSite attribute is set to a valid value. If it is set to
    // 'None' the request needs to be done over HTTPS.
    $valid = match ($samesite) {
      'Lax', 'Strict' => TRUE,
      'None' => $request_object->isSecure(),
      default => FALSE,
    };
    $requirements['php_session_samesite'] = [
      'title' => t('SameSite cookie attribute'),
      'value' => $samesite,
      'severity' => $valid ? REQUIREMENT_OK : REQUIREMENT_WARNING,
      'description' => t('This attribute should be explicitly set to Lax, Strict or None. If set to None then the request must be made via HTTPS. See <a href=":url" target="_blank">PHP documentation</a>', [
        ':url' => 'https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite',
      ]),
    ];
  }
nikolay borisov’s picture

nikolay borisov commented

Here it is not stated clearly, but the "cookie_samesite: Lax", should be of course under parameters > session.storage.options.

Here an example:

parameters:
  session.storage.options:
    # Set the SameSite cookie attribute: 'None', 'Lax', or 'Strict'. If set,
    # this value will override the server value. See
    # https://www.php.net/manual/en/session.security.ini.php for more
    # information.
    # @default no value
    cookie_samesite: Lax

it is of course for D10 clearly visible from here https://git.drupalcode.org/project/drupal/-/blob/10.2.x/sites/default/de...

websiteworkspace’s picture

websiteworkspace commented

Thank you.