1

Is there a good solution to add the Cookie SameSite None configuration to a Drupal7 and PHP7.0 setup?

My only finding was to override the file includes/session.inc from :

setcookie(session_name(), session_id(), $expire, $params['path'], $params['domain'], $params['secure'], $params['httponly']);

to 

header("Set-Cookie: {$cookie_name}={$session_id}; Domain=localhost; Path={$params['path']}; SameSite=None; Secure; HttpOnly; ");

It does not even seem to work in all situations...

Charles
  • 11,367
  • 10
  • 77
  • 114
  • With [7.0 being end of life](https://www.php.net/supported-versions.php), I think `header()` is your only real option. Can I ask why you're setting the session cookie to `SameSite=None`? Is the site primarily used in a cross-site embedded context? – rowan_m Apr 06 '20 at 13:46
  • Our payment provider is redirecting our customer with a POST request directly to our website. – Charles Apr 08 '20 at 10:44
  • I need to do the same in PHP7.2 for my session cookie, sadly don't know where to edit the cookie creation or append the samesite=lax parameter to this particular cookie. – Elber CM Apr 21 '20 at 17:17

1 Answers1

2

It's a bit of a hack but you can set SameSite to None for the session cookie by adding this to your settings.php :

ini_set('session.cookie_path', '/; samesite=None');
roger at versantus
  • 21
  • 4