Contrib.social

How to deal with PHP 7.3+ session.cookie_samesite=Strict settings

Open on Drupal.org →
Created on 27 April 2020, almost 5 years ago
Updated 13 March 2025, about 1 month ago

Just wasted a few hours to learn about the inner workings of OAuth2 and SameSite=Strict restrictions in combinations of modern browsers and modern PHP's. The hard way.

On a recent standard Debian, PHP is configured with session.cookie_samesite=Strict setting, leading to the

Invalid Oauth2 state with multiple provider

state.

Possible improvement:
- Warn the user in the backend about "This won't work if you insist on having Strict configured"
- Do something like below and relax the configuration to set a Lax-Cookie and revert to Strict asap.

diff --git a/src/Controller/OAuth2ControllerBase.php b/src/Controller/OAuth2ControllerBase.php
index c5deb36..dab2bcc 100644
--- a/src/Controller/OAuth2ControllerBase.php
+++ b/src/Controller/OAuth2ControllerBase.php
@@ -8,6 +8,7 @@ use Drupal\Core\Messenger\MessengerInterface;
 use Drupal\Core\Render\RenderContext;
 use Drupal\Core\Render\RendererInterface;
 use Drupal\Core\Routing\TrustedRedirectResponse;
+use Drupal\Core\Session\SessionManagerInterface;
 use Drupal\social_api\Plugin\NetworkManager;
 use Drupal\social_auth\AuthManager\OAuth2ManagerInterface;
 use Drupal\social_auth\SocialAuthDataHandler;
@@ -192,6 +193,17 @@ class OAuth2ControllerBase extends ControllerBase {
         $auth_url = $this->providerManager->getAuthorizationUrl();
 
         $state = $this->providerManager->getState();
+
+        // ensure the processCallback() works when default ist SameSite=Strict
+        if (ini_get('session.cookie_samesite') == 'Strict') {
+          ini_set('session.cookie_samesite', 'Lax');
+          /** @var SessionManagerInterface $sm */
+          $sm = \Drupal::service('session_manager');
+          $sm->regenerate(FALSE);
+          ini_set('session.cookie_samesite', 'Strict');
+        }
+
+
         $this->dataHandler->set('oauth2state', $state);
 
         $this->userAuthenticator->dispatchBeforeRedirect($destination);
Feature request
Status

Active

Version

2.0

Component

Code

Created by

🇨🇭Switzerland spiffl

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 1 month ago
    🇪🇸Spain aleix

    Hi, sorry to necrobumping, if you think so please, omit this comment. I recently found exactly the same issue using a php in a debian with default configuration as it comes from apt repository. The way how is configured it using session.cookie_samesite = "Strict" made me waste a lot of time doing tracing here and there until I found that the cookie was stripped... So now I see, it's obvious(and I was suspecting it), and is something to be aware when using third parties auths, but I just confirmed what's said in this post.

    So at least a note about it in Readme.md could help others with the same error, as the path from the error "Login failed. Invalid OAuth2 state" to the misconfigured php may be a long trace.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024