SameSite Cookie

This project is not covered by Drupal’s security advisory policy.

As of Drupal 7.79, a SameSite cookie attribute is set for Drupal's session cookies. This module provides functionality in the Drupal Admin UI to customize the response sent to clients.

Choose whether "None", "Lax", "Strict", or no attribute is sent.
Work around legacy browsers that are unable to accept SameSite=None cookies

Screenshot of the administration form for this module.

With this module, it is not necessary to make changes to settings.php for SameSite (as described by the core 7.79 change record). The samesite_cookie_value configuration variable is overridden by this module.

For general information on the SameSite cookie attribute, you can refer to this MDN documentation:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

For information about the legacy browsers that have problems with SameSite=None (that this module provides a workaround for), you can refer to this Chromium documentation:
https://www.chromium.org/updates/same-site/incompatible-clients
Per the Chromium documentation:

Some user agents are known to be incompatible with the `SameSite=None` attribute.

Versions of Chrome from Chrome 51 to Chrome 66 (inclusive on both ends). These Chrome versions will reject a cookie with `SameSite=None`. This also affects older versions of Chromium-derived browsers, as well as Android WebView. This behavior was correct according to the version of the cookie specification at that time, but with the addition of the new "None" value to the specification, this behavior has been updated in Chrome 67 and newer. (Prior to Chrome 51, the SameSite attribute was ignored entirely and all cookies were treated as if they were `SameSite=None`.)

Versions of UC Browser on Android prior to version 12.13.2. Older versions will reject a cookie with `SameSite=None`. This behavior was correct according to the version of the cookie specification at that time, but with the addition of the new "None" value to the specification, this behavior has been updated in newer versions of UC Browser.

Versions of Safari and embedded browsers on MacOS 10.14 and all browsers on iOS 12. These versions will erroneously treat cookies marked with `SameSite=None` as if they were marked `SameSite=Strict`. This bug has been fixed on newer versions of iOS and MacOS.

This module has been manually tested by a few people and everything appears to be working properly. Accordingly, this module stability is "release candidate" (not "stable"). Testing (and bug reporting) is welcome.

Attachment	Size
samesite cookie attribute settings form.png	52.45 KB

Project information

Seeking co-maintainer(s)
Maintainers are looking for help reviewing issues.
Project categories: Administration tools, Security
56 sites report using this module
Created by nullkernel on 9 April 2021, updated 23 April 2021
This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.

Releases

View all releases

SameSite Cookie

Primary tabs

Project information

Releases

Maintainers

Issues for SameSite Cookie

All issues

Bug report

Statistics

Resources

Development

News items

Our community

Documentation

Drupal code base

Governance of community