Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 295277

Set samesite cookie attribute for PHP sessions

$
0
0

Problem/Motivation

Drupal 7 does not set the samesite attribute for PHP session cookies, unless on PHP 7.3 or higher. Up until recently, all major browsers treated cookies without this attribute as if it were samesite=None. Recently (July 2020), Google Chrome has changed this with the release of Chrome 84, and cookies are treated as "Lax" if there is no samesite attribute set. The Drupal contrib module ecosystem has by and large been developed with the implicit assumption that browsers treat cookies as samesite=None. Additionally, some sites/modules aren't yet ready to upgrade to higher versions of PHP.

Drupal 7's documentation presently indicates that PHP 7.0 and higher is supported.

Steps to reproduce

I and other users have seen consequences of this for Drupal Commerce off-site payment redirects. This is where the user submits a form that POSTs to another domain (payment processor), and the payment processor sends the user back to the site with another POST (containing the verified payment data). Such an arrangement is a way of attaining PCI compliance (by the Drupal website never seeing a credit card number or other sensitive account information).

Contrib modules don't seem to be an appropriate/feasible place to change this in.

Proposed resolution

Modify drupal_session_start() so that it sets this attribute for PHP session cookies.

Since Drupal 7's contrib modules have been developed with the implicit assumption of samesite=None (and this is how web browsers have acted), explicitly set this cookie attribute. On PHP 7.3 and higher, this attribute can be based off of the php ini option: session.cookie_samesite="None". There is currently a related issue for Drupal 9.1.x, but it is for setting samesite=Lax.

Lower versions of PHP do not have built-in support for the samesite attribute. However, users on StackExchange and elsewhere have pointed out a workaround for PHP < 7.3 session cookies. The workaround involves modifying the cookie's path to append the string "; samesite=None" (or Lax, or Strict).

Detect incompatible browsers (which reject cookies having this attribute) via their User-Agent string, and avoid setting this attribute for them. Known incompatible clients are documented here: https://www.chromium.org/updates/same-site/incompatible-clients

Remaining tasks

Discuss and patch.

User interface changes

None

API changes

None. Possibly support a config variable that can be used as a substitute for the ini option (for PHP versions lower than 7.3).

Data model changes

None

Release notes snippet

Explicitly set the samesite cookie attribute (default: None).


Viewing all articles
Browse latest Browse all 295277

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>