From f36dacc692f32873eca886634f328c6661c723c7 Mon Sep 17 00:00:00 2001
From: catch <catch@35733.no-reply.drupal.org>
Date: Mon, 6 Mar 2023 17:14:57 +0000
Subject: [PATCH] Issue #3150614 by pfrenssen, cilefen, murilohp, FinnishFlash,
 mpp, andypost, ranjith_kumar_k_u, vagelis-prokopiou, rpayanm, tsplash,
 blazey, Winn, znerol, alexpott, Berdir, mxr576, catch, anagomes: Set SameSite
 on session cookies

---
 .../scaffold/files/default.services.yml       |  7 ++++++
 core/core.services.yml                        |  1 +
 core/misc/cspell/dictionary.txt               |  1 +
 core/modules/system/system.install            | 22 +++++++++++++++++++
 .../Core/Session/SessionConfigurationTest.php | 11 ++++++++++
 sites/default/default.services.yml            |  7 ++++++
 6 files changed, 49 insertions(+)

diff --git a/core/assets/scaffold/files/default.services.yml b/core/assets/scaffold/files/default.services.yml
index eb530088efa..8a6cdf2f77f 100644
--- a/core/assets/scaffold/files/default.services.yml
+++ b/core/assets/scaffold/files/default.services.yml
@@ -37,6 +37,13 @@ parameters:
     # @default none
     # cookie_domain: '.example.com'
     #
+    # Set the SameSite cookie attribute: 'None', 'Lax', or 'Strict'. If set,
+    # this value will override the server value. See
+    # https://www.php.net/manual/en/session.security.ini.php for more
+    # information.
+    # @default no value
+    cookie_samesite: Lax
+    #
     # Set the session ID string length. The length can be between 22 to 256. The
     # PHP recommended value is 48. See
     # https://www.php.net/manual/session.security.ini.php for more information.
diff --git a/core/core.services.yml b/core/core.services.yml
index 1c5d787c572..3beafcd932c 100644
--- a/core/core.services.yml
+++ b/core/core.services.yml
@@ -9,6 +9,7 @@ parameters:
     gc_divisor: 100
     gc_maxlifetime: 200000
     cookie_lifetime: 2000000
+    cookie_samesite: Lax
     sid_length: 48
     sid_bits_per_character: 6
   twig.config:
diff --git a/core/misc/cspell/dictionary.txt b/core/misc/cspell/dictionary.txt
index bb74373f9df..5c5fa462786 100644
--- a/core/misc/cspell/dictionary.txt
+++ b/core/misc/cspell/dictionary.txt
@@ -1031,6 +1031,7 @@ safa
 sameline
 samename
 sameorigin
+samesite
 sata
 savepoints
 sayre
diff --git a/core/modules/system/system.install b/core/modules/system/system.install
index a896ba98974..b0659ff3dd8 100644
--- a/core/modules/system/system.install
+++ b/core/modules/system/system.install
@@ -1309,6 +1309,28 @@ function system_requirements($phase) {
     }
   }
 
+  // Check if the SameSite cookie attribute is set to a valid value. Since this
+  // involves checking whether we are using a secure connection this only makes
+  // sense inside an HTTP request, not on the command line.
+  if ($phase === 'runtime' && PHP_SAPI !== 'cli') {
+    $samesite = ini_get('session.cookie_samesite') ?: t('Not set');
+    // Check if the SameSite attribute is set to a valid value. If it is set to
+    // 'None' the request needs to be done over HTTPS.
+    $valid = match ($samesite) {
+      'Lax', 'Strict' => TRUE,
+      'None' => $request_object->isSecure(),
+      default => FALSE,
+    };
+    $requirements['php_session_samesite'] = [
+      'title' => t('SameSite cookie attribute'),
+      'value' => $samesite,
+      'severity' => $valid ? REQUIREMENT_OK : REQUIREMENT_WARNING,
+      'description' => t('This attribute should be explicitly set to Lax, Strict or None. If set to None then the request must be made via HTTPS. See <a href=":url" target="_blank">PHP documentation</a>', [
+        ':url' => 'https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite',
+      ]),
+    ];
+  }
+
   // See if trusted hostnames have been configured, and warn the user if they
   // are not set.
   if ($phase == 'runtime') {
diff --git a/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php b/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
index ac6b0a76974..55282c05483 100644
--- a/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
+++ b/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
@@ -116,6 +116,17 @@ class SessionConfigurationTest extends UnitTestCase {
     $this->assertEquals($expected_secure, $options['cookie_secure']);
   }
 
+  /**
+   * Test that session.cookie_samesite is configured correctly.
+   */
+  public function testSameSiteCookie() {
+    $request = Request::create('https://example.com');
+
+    $config = $this->createSessionConfiguration(['cookie_samesite' => 'Strict']);
+    $options = $config->getOptions($request);
+    $this->assertEquals('Strict', $options['cookie_samesite']);
+  }
+
   /**
    * Tests that session.cookie_secure ini settings cannot be overridden.
    *
diff --git a/sites/default/default.services.yml b/sites/default/default.services.yml
index eb530088efa..8a6cdf2f77f 100644
--- a/sites/default/default.services.yml
+++ b/sites/default/default.services.yml
@@ -37,6 +37,13 @@ parameters:
     # @default none
     # cookie_domain: '.example.com'
     #
+    # Set the SameSite cookie attribute: 'None', 'Lax', or 'Strict'. If set,
+    # this value will override the server value. See
+    # https://www.php.net/manual/en/session.security.ini.php for more
+    # information.
+    # @default no value
+    cookie_samesite: Lax
+    #
     # Set the session ID string length. The length can be between 22 to 256. The
     # PHP recommended value is 48. See
     # https://www.php.net/manual/session.security.ini.php for more information.