- Issue created by @ShaunDychko
- Status changed to Needs review
about 1 month ago 5:23pm 29 May 2024
Setting cookie_samesite = Strict in services.yml breaks social_auth log in. The session cookie is not sent to the Drupal site upon redirect back from the authentication provider. cookie_samesite = Lax works fine. While using cookie_samesite = Strict Google log in was broken for days without any logging to the database, and no error message for users. There was only a redirect to the user log in page. Drupal's messenger service stores error messages in the user session, but since the session cookie wasn't sent by the user's browser, there was no error message to show.
Users finally reported the issue and it was a slog of debugging to determine the cause. The motivation with this issue is to save other developers this pain and improve error reporting.
cookie_samesite = Strict in services.yml and watch social_auth redirect to the user log in page with no error message and no database logging. Clear all browser cookies and rebuild the Drupal cache after changing cookie_samesite.
Apply the following patch.
Needs review
4.1
Code