Problem/Motivation
Drupal 7 does not set the samesite attribute for PHP session cookies, unless on PHP 7.3 or higher. Up until recently, all major browsers treated cookies without this attribute as if it were samesite=None. Recently (July 2020), Google Chrome has changed this with the release of Chrome 84, and cookies are treated as "Lax" if there is no samesite attribute set. The Drupal contrib module ecosystem has by and large been developed with the implicit assumption that browsers treat cookies as samesite=None. Additionally, some sites/modules aren't yet ready to upgrade to higher versions of PHP.
Drupal 7's documentation presently indicates that PHP 7.0 and higher is supported.
Steps to reproduce
I and other users have seen consequences of this for Drupal Commerce off-site payment redirects. This is where the user submits a form that POSTs to another domain (payment processor), and the payment processor sends the user back to the site with another POST (containing the verified payment data). Such an arrangement is a way of attaining PCI compliance (by the Drupal website never seeing a credit card number or other sensitive account information).
Contrib modules don't seem to be an appropriate/feasible place to change this in.
Proposed resolution
Modify drupal_session_start() so that it sets this attribute for PHP session cookies.
Since Drupal 7's contrib modules have been developed with the implicit assumption of samesite=None (and this is how web browsers have acted), explicitly set this cookie attribute. On PHP 7.3 and higher, this attribute can be based off of the php ini option: session.cookie_samesite="None". There is currently a related issue for Drupal 9.1.x, but it is for setting samesite=Lax.
Lower versions of PHP do not have built-in support for the samesite attribute. However, users on StackExchange and elsewhere have pointed out a workaround for PHP < 7.3 session cookies. The workaround involves modifying the cookie's path to append the string "; samesite=None" (or Lax, or Strict).
Detect incompatible browsers (which reject cookies having this attribute) via their User-Agent string, and avoid setting this attribute for them. Known incompatible clients are documented here: https://www.chromium.org/updates/same-site/incompatible-clients
Remaining tasks
Discuss and patch.
User interface changes
None
API changes
None. Possibly support a config variable that can be used as a substitute for the ini option (for PHP versions lower than 7.3).
Data model changes
None
Release notes snippet
Explicitly set the samesite cookie attribute (default: None).