Symfony's built-in session management implements a workaround for handling changed signature of some cookie/session management related functions in PHP 7.3, like setcookie(), session_get_cookie_params(), etc. This is implemented in the NativeSessionStorage since this commit.
\Drupal\Core\Session\SessionManager extends this class but in some oerriden methods, like start(), destroy(), it does not call the parent method. Due to this, important tweaks in upstream, like proper handling of SameSite cookie policy, are not available in Drupal.
It also calls setcookie() in a few places directly without handling different signatures of the method and passing site-wide configurations (like SameSite cookie policy settings) stored in SessionConfiguration.
This is the workaround in upstream for setcookie(): https://github.com/symfony/http-foundation/blob/v3.4.41/Session/Storage/...
Note: There is a todo in the class, probably it is time to address it. :)
* @todo
* In fact the NativeSessionStorage class already implements all of the
* functionality required by a typical Symfony application. Normally it is not
* necessary to subclass it at all. In order to reach the point where Drupal
* can use the Symfony session management unmodified, the code implemented
* here needs to be extracted either into a dedicated session handler proxy
* (e.g. sid-hashing) or relocated to the authentication subsystem.
\Drupal\Core\Session\SessionManager or rather find a better way, a way that allows leveraging the most from upstream can provide.Closed: outdated
11.0 🔥
base system
Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.