Older PHP versions set SameSite attribute on insecure session cookie

Created on 25 May 2022, over 2 years ago
Updated 12 June 2023, over 1 year ago

Problem/Motivation

On PHP versions earlier than 7.3, Drupal 7.79 adds the SameSite attribute to the path of the secure session cookie. If $conf['https'] equals TRUE, Drupal copies the parameters of the secure session cookie to an insecure session cookie, including the SameSite attribute in the path. Because the SameSite attribute is only supposed to be set on secure cookies, some browsers, including Chrome and Firefox, reject the insecure session cookie. This causes a duplicate record in the session table. Drupal writes to the session with both cookies, but reads the session with only the secure cookie. As a result,

  • Users initially see an anonymous user page after login.
  • Status messages set after login are never displayed.

Steps to reproduce

  1. Set $conf['https'] = TRUE; in settings.php.
  2. Log in over HTTPS.

Proposed resolution

On older versions of PHP, strip the SameSite attribute from the path if the samesite option is FALSE.

🐛 Bug report
Status

Needs work

Version

7.0 ⚰️

Component
Bootstrap 

Last updated 12 days ago

No maintainer
Created by

🇺🇸United States darren oh Lakeland, Florida

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024