Problem/Motivation

Add a security check to verify the SameSite attribute set on cookies (especially session cookies) in Drupal, ensuring it is configured to one of the recommended values (Strict, Lax, or None) to enhance site security against cross-site request forgery and related attacks.

Steps to reproduce

Proposed resolution

Create FitCheck Plugin:  SameSiteCookieCheck 
• Group: Security
• Purpose: Detect the SameSite attribute on cookies and validate against secure configuration values.
Checks to Implement
• Inspect cookies set by the Drupal application and confirm if a SameSite attribute is present.
• Verify the value of SameSite attribute is one of: “Strict”, “Lax”, or “None”.
• Validate that if  SameSite=None  is used, the cookie is also marked  Secure .
• Flag absent, malformed, or insecure SameSite configurations.
Plugin Behavior and Output
• If cookies have unsafe or missing SameSite attribute:
• Return a  FitResult  with Weight: Critical/High.
• List details about the cookies and their problematic SameSite settings.
• Provide remediation guidance:
• Set SameSite attribute explicitly in session cookie configuration.
• Use “Strict” or “Lax” values when appropriate.
• If “None” is used, ensure Secure flag is also set.

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork drupalfit-3558249

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

anmolgoyal74 created an issue. See original summary.

harivansh’s picture

Issue summary: View changes

shubham.prakash made their first commit to this issue’s fork.

shubham.prakash’s picture

Status: Active » Needs review

harivansh’s picture

Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

harivansh’s picture

Status: Fixed » Closed (fixed)