Setting SameSite=None on a session cookie

Lambic

1/25/24, 4:07 PM

I have a custom endpoint which stores a value in a session cookie, using this code:

$session = $this->request->getCurrentRequest()->getSession();
$session->set('test.email', $data['email']);

I'm calling this endpoint from a decoupled frontend.

This works fine in Firefox, but in Chrome it looks like the session cookie is being blocked because SameSite is set to Lax. How would I set SameSite to be None? Ideally I only want to do that for this cookie, not all cookies.

294

1 + 6

cilefen

1/25/24, 4:50 PM

I don't think you can do so because the Session service has only one configuration for samesite. Have you considered setting a specific cookie rather than using the session cookie? Also, FWIW, Chrome assumes "Lax" if samesite is unset.

Lambic

1/25/24, 5:46 PM

Thanks, I'll look at switching to a custom cookie, I guess I'll need to store the data in user data with an expiry instead of session storage

Lambic

1/25/24, 5:51 PM

Actually I can't use user data, this is an anonymous session

cilefen

1/25/24, 6:46 PM

Local storage and cookies are different things.

cilefen

1/25/24, 6:47 PM

Oh, I misunderstood what you wrote. Any cookie can have an expiry, which should work.

Lambic

1/25/24, 7:13 PM

Yep, but I need to store some data on the server side too. I can't store it in session data or in the tempStore because those use session cookies. I can't store it in userData because it's an anonymous session. Hopefully I don't have to define my own schema for this?

Score:3

Drupal

4uk4

1/26/24, 8:49 AM

You can change the session cookie settings in services.yml. See How do I set the cookie lifetime?

This is not only possible for the default parameters defined by Drupal but for any parameter listed in the PHP docs:

https://www.php.net/session.configuration

So you can add SameSite=None to the session storage options:

sites/default/services.yml

parameters:
  session.storage.options:
    gc_probability: 1
    gc_divisor: 100
    gc_maxlifetime: 200000
    cookie_lifetime: 2000000
    sid_length: 48
    sid_bits_per_character: 6
    cookie_samesite: none

These options only apply to the session cookie, not to any cookie set by your site. To change the options dynamically see How do I dynamically change cookie_lifetime?

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Setting SameSite=None on a session cookie

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.