Issue #3150614 by pfrenssen, cilefen, murilohp, FinnishFlash, mpp, andypost, ranjith_kumar_k_u, vagelis-prokopiou, rpayanm, tsplash, blazey, Winn, znerol, alexpott, Berdir, mxr576, catch, anagomes: Set SameSite on session cookies

core/assets/scaffold/files/default.services.yml

@@ -37,6 +37,13 @@ parameters:
     # @default none
     # cookie_domain: '.example.com'
     #
+    # Set the SameSite cookie attribute: 'None', 'Lax', or 'Strict'. If set,
+    # this value will override the server value. See
+    # https://www.php.net/manual/en/session.security.ini.php for more
+    # information.
+    # @default no value
+    cookie_samesite: Lax
+    #
     # Set the session ID string length. The length can be between 22 to 256. The
     # PHP recommended value is 48. See
     # https://www.php.net/manual/session.security.ini.php for more information.

core/core.services.yml

@@ -9,6 +9,7 @@ parameters:
     gc_divisor: 100
     gc_maxlifetime: 200000
     cookie_lifetime: 2000000
+    cookie_samesite: Lax
     sid_length: 48
     sid_bits_per_character: 6
   twig.config:

core/misc/cspell/dictionary.txt

@@ -1031,6 +1031,7 @@ safa
 sameline
 samename
 sameorigin
+samesite
 sata
 savepoints
 sayre

core/modules/system/system.install

@@ -1309,6 +1309,28 @@ function system_requirements($phase) {
     }
   }
 
+  // Check if the SameSite cookie attribute is set to a valid value. Since this
+  // involves checking whether we are using a secure connection this only makes
+  // sense inside an HTTP request, not on the command line.
+  if ($phase === 'runtime' && PHP_SAPI !== 'cli') {
+    $samesite = ini_get('session.cookie_samesite') ?: t('Not set');
+    // Check if the SameSite attribute is set to a valid value. If it is set to
+    // 'None' the request needs to be done over HTTPS.
+    $valid = match ($samesite) {
+      'Lax', 'Strict' => TRUE,
+      'None' => $request_object->isSecure(),
+      default => FALSE,
+    };
+    $requirements['php_session_samesite'] = [
+      'title' => t('SameSite cookie attribute'),
+      'value' => $samesite,
+      'severity' => $valid ? REQUIREMENT_OK : REQUIREMENT_WARNING,
+      'description' => t('This attribute should be explicitly set to Lax, Strict or None. If set to None then the request must be made via HTTPS. See <a href=":url" target="_blank">PHP documentation</a>', [
+        ':url' => 'https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite',
+      ]),
+    ];
+  }
+
   // See if trusted hostnames have been configured, and warn the user if they
   // are not set.
   if ($phase == 'runtime') {

core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php

@@ -116,6 +116,17 @@ class SessionConfigurationTest extends UnitTestCase {
     $this->assertEquals($expected_secure, $options['cookie_secure']);
   }
 
+  /**
+   * Test that session.cookie_samesite is configured correctly.
+   */
+  public function testSameSiteCookie() {
+    $request = Request::create('https://example.com');
+
+    $config = $this->createSessionConfiguration(['cookie_samesite' => 'Strict']);
+    $options = $config->getOptions($request);
+    $this->assertEquals('Strict', $options['cookie_samesite']);
+  }
+
   /**
    * Tests that session.cookie_secure ini settings cannot be overridden.
    *

sites/default/default.services.yml

@@ -37,6 +37,13 @@ parameters:
     # @default none
     # cookie_domain: '.example.com'
     #
+    # Set the SameSite cookie attribute: 'None', 'Lax', or 'Strict'. If set,
+    # this value will override the server value. See
+    # https://www.php.net/manual/en/session.security.ini.php for more
+    # information.
+    # @default no value
+    cookie_samesite: Lax
+    #
     # Set the session ID string length. The length can be between 22 to 256. The
     # PHP recommended value is 48. See
     # https://www.php.net/manual/session.security.ini.php for more information.