Problem/Motivation

We are trying to set the Drupal Session Cookie with the "Secure" Flag.
For the “SESS*” cookie, we were not able to set the "SESS*" cookie with the "Secure" flag.

We have tried from the settings.php using the following code:
ini_set('session.cookie_secure', 1);
However it did not work.

https://acquia.my.site.com/s/article/360037119453-Drupal-session-cookie-attributes
Drupal will set the Secure attribute on session cookies when the site is being accessed via https.
However, the 'Secure' flag is not set as seen in the screenshot.

Currently, we are using drupal version 9.5.9.

We are raising it as a bug as we are resolving a security finding from a pentest scan.

CommentFileSizeAuthor
Screenshot 2023-08-14 at 17.02.28.png307.65 KBafiq-0922

Comments

afiq-0922 created an issue. See original summary.

cilefen’s picture

cilefen commented
Category: Bug report » Support request

This is not a bug but more of a setup issue on your end. In particular you probably have a forward cache or other web site setup issue such that the Drupal is unaware it is running on SSL.

Usually there is a missing header or similar. This is the code that determines if the request was SSL:

 public function isSecure(): bool
    {
        if ($this->isFromTrustedProxy() && $proto = $this->getTrustedValues(self::HEADER_X_FORWARDED_PROTO)) {
            return \in_array(strtolower($proto[0]), ['https', 'on', 'ssl', '1'], true);
        }

        $https = $this->server->get('HTTPS');

        return !empty($https) && 'off' !== strtolower($https);
    }

You can see that the first way is if certain headers are set from a configured trusted proxy. The second way is if the web server set the HTTPS environment variable.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

cilefen’s picture

cilefen commented
Status: Active » Closed (outdated)