Problem/Motivation
Add a security check to verify the SameSite attribute set on cookies (especially session cookies) in Drupal, ensuring it is configured to one of the recommended values (Strict, Lax, or None) to enhance site security against cross-site request forgery and related attacks.
Steps to reproduce
Proposed resolution
Create FitCheck Plugin: SameSiteCookieCheck
• Group: Security
• Purpose: Detect the SameSite attribute on cookies and validate against secure configuration values.
Checks to Implement
• Inspect cookies set by the Drupal application and confirm if a SameSite attribute is present.
• Verify the value of SameSite attribute is one of: “Strict”, “Lax”, or “None”.
• Validate that if SameSite=None is used, the cookie is also marked Secure .
• Flag absent, malformed, or insecure SameSite configurations.
Plugin Behavior and Output
• If cookies have unsafe or missing SameSite attribute:
• Return a FitResult with Weight: Critical/High.
• List details about the cookies and their problematic SameSite settings.
• Provide remediation guidance:
• Set SameSite attribute explicitly in session cookie configuration.
• Use “Strict” or “Lax” values when appropriate.
• If “None” is used, ensure Secure flag is also set.
Remaining tasks
User interface changes
API changes
Data model changes
Issue fork drupalfit-3558249
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
harivansh commentedComment #5
shubham.prakash commentedComment #7
harivansh commentedComment #9
harivansh commented