Warning SameSite cookie attribute

Andrew Fletcher published: 23 October 2023 5 minutes read

Drupal

10.x

In the Drupal Status report, I'm seeing the following message

Not set
This attribute should be explicitly set to Lax, Strict or None. If set to None then the request must be made via HTTPS. See PHP documentation

The "SameSite" cookie attribute is a security feature in web browsers that helps prevent cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks. This attribute allows web developers to control when cookies should be sent with cross-origin requests.

When you see a warning related to the "SameSite" cookie attribute in Drupal, it typically means that your Drupal site is using cookies, and the browser is flagging them for their "SameSite" attribute.

What's the difference between Lax, Strict and None?

The "SameSite" attribute for cookies determines how cookies are sent in cross-site (i.e., third-party) requests. There are three values for the "SameSite" attribute: "Lax," "Strict," and "None." Each value controls the behavior of cookies in different ways:

Lax

Cookies with the "Lax" attribute are sent in cross-site requests if the request is initiated by a top-level navigation, which includes clicking on a link, entering a URL in the address bar, or submitting a form.

Cookies are not sent in cross-site requests initiated by subresource requests, such as loading images, scripts, or styles. This is the default behavior for cookies if the "SameSite" attribute is not explicitly set. It provides a reasonable level of security by preventing CSRF attacks while allowing some cross-site navigation functionality.

Strict

Cookies with the "Strict" attribute are not sent in cross-site requests, regardless of how the request is initiated. This setting provides the highest level of security and prevents cookies from being sent in any cross-site context.

It's essential for applications that require strong security, but it may affect some user experiences, such as cross-site single sign-on.

None

Cookies with the "None" attribute are sent in all cross-site requests, including both top-level navigation and subresource requests. This value is used when you want to enable cookies for cross-site requests explicitly.

To use the "None" attribute, you must also set the "Secure" attribute, meaning that the cookie is only transmitted over secure (HTTPS) connections.

This is typically used in situations where cookies need to be shared between different sites or when third-party cookies are necessary for functionalities like cross-site tracking or single sign-on.

In summary, the "SameSite" attribute controls the behavior of cookies in cross-site requests, and the choice of "Lax," "Strict," or "None" depends on your specific security and functionality requirements:

"Lax" is the default and provides a balance between security and usability.
"Strict" enhances security by not sending cookies in any cross-site requests.
"None" allows cookies to be sent in all cross-site requests and is typically used when explicit cross-site functionality is required and HTTPS is used.

The choice of the "SameSite" attribute value should be made carefully based on your application's needs and security considerations.

An outline

To address this warning in Drupal, you can take the following steps:

Update Drupal Core and Modules

Ensure that your Drupal core and all contributed modules are up-to-date. Developers often release updates to address security issues and compatibility with the latest browser requirements.

Check Your Cookies

Review the cookies used by your Drupal site and ensure that they have the appropriate "SameSite" attribute set. This can be done in Drupal settings or by customising your code.

Adjust Cookie Settings

In Drupal, you can configure cookie settings under "Configuration" > "Development" > "Performance." Check for any options related to cookie settings and make sure they comply with the "SameSite" attribute requirements.

Use Secure Cookies

If you are using cookies to store sensitive information or session data, ensure that you are using secure cookies (cookies with the "Secure" attribute). This is especially important if your site uses HTTPS.

Test Cross-Site Behaviour

Test your site to verify that cookies are behaving as expected when accessed from different domains or subdomains. This can help you identify any issues with the "SameSite" attribute.

Review and Apply Patches

If your Drupal version or specific modules are known to have "SameSite" attribute issues, check for patches or updates provided by the Drupal community or module maintainers to address these issues.

How to resolve

To set the "SameSite" attribute for cookies in a Drupal site, you can do so in several ways, depending on your specific use case and configuration. The "SameSite" attribute can be explicitly set to "Lax," "Strict," or "None" to control how cookies are sent with cross-site requests:

settings.php file

You can configure the "SameSite" attribute for cookies via the settings.php file. You can add the following lines to set the "SameSite" attribute for cookies to "Lax," "Strict," or "None," as needed:

$settings['cookiestatus']['cookiestatus_cookiestatus'] = 'Lax';

Replace 'Lax' with 'Strict' or 'None' if needed.

Drupal Modules

Some Drupal modules, such as the "Session Cookie Settings" module, allow you to configure cookie settings, including the "SameSite" attribute, through the Drupal administration interface. Check if there are relevant modules that provide the desired functionality.

Custom Code

If you need fine-grained control over cookies in custom code, you can set the "SameSite" attribute when setting cookies using PHP. Such as if you're using the setcookie function, you can set the "SameSite" attribute like this:

setcookie('my_cookie', 'cookie_value', [
   'expires' => time() + 3600,
   'path' => '/',
   'domain' => 'yourdomain.com',
   'secure' => true, // Use secure cookies over HTTPS
   'samesite' => 'Lax', // Set the SameSite attribute
]);

Adjust the parameters to match your specific use case.

Server Configuration

Depending on your server configuration and the web server you're using (e.g., Apache, Nginx), you may have the option to set the "SameSite" attribute in server configuration files. This can be used to enforce the attribute globally for all cookies served by the server.

Ensure to thoroughly test your site after making changes to the "SameSite" attribute to ensure that your cookies behave as expected and that there are no issues with cross-site requests or session management.

Andrew Fletcher • 27 Apr 2024

Streamlined Drupal 10 Deployment: Best Practices for Stability and Security

Drupal

Have you ever walked into a situation at work and just wondered how everything still runs smoothly? I mean, there are deployments with so many fail-safes stacked on a shaky foundation that it's almost a miracle they work at all. The real trick is gently nudging the team toward accepting change to...

Andrew Fletcher • 27 Apr 2024

TypeError: Cannot assign null to property Drupal\views\Plugin\views\argument\ArgumentPluginBase::$operator of type string

Drupal

I'm getting the following errorTypeError: Cannot assign null to property Drupal\views\Plugin\views\argument\ArgumentPluginBase::$operator of type string in Drupal\views\Plugin\views\argument\ArgumentPluginBase->unpackArgumentValue() (line 1302 of...

Andrew Fletcher • 21 Apr 2024

This command will help you spot any unusually large directories

The red flag was when I saw the server disk space is showing a site is taking up 57992.5 MB, where locally the site size is showing 957MB.  There is something serious happening here and I need to establish the problem quickly.  When dealing with a significant discrepancy in site size...

What's the difference between Lax, Strict and None?

Lax

Strict

None

An outline

Update Drupal Core and Modules

Check Your Cookies

Adjust Cookie Settings

Use Secure Cookies

Test Cross-Site Behaviour

Review and Apply Patches

How to resolve

settings.php file

Drupal Modules

Custom Code

Server Configuration

Related articles