There’s plenty of articles out there explaining what the changes are (https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html), why they’ve been done (https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy) and how to ‘theoretically’ fix them with simple code examples, but we haven’t stumbled upon many articles explaining ‘practical’ solutions to apply to a Drupal site to actually fix the issues that arise due to the stricter cookie policies implemented since the Chrome 80 release.
The problem
We’ve faced two major issues until now with the changes in chrome:
1. Payment gateways failing to return back to the site correctly and people being ‘logged out’ or losing their checkout session when redirected from payment gateways
This is due to many gateways sharing the cookie with the site and if the cookie SameSite property is not set to ‘None’ (and Secure) then upon returning to the site Chrome kills that cookie and you are no longer ‘logged in’ or no longer on the ‘checkout’ path you were on beforehand.
This means that any logic that would normally run upon returning from the payment gateway (ie. changing order status, sending emails, sending data to external CRMs etc) no longer gets triggered.
See Drupal Commerce issue for more information on the problem:
https://www.drupal.org/project/commerce/issues/3051241
It’s worth noting though that not all payment gateways faced this issue
2. Some SSO logins not working correctly anymore due to the same issue with cookies not being shared in the third party context.
The solutions
Depending on what PHP version you’re running there are two possible solutions we’ve found, however with PHP7.2 becoming end of life and hopefully many people updating to 7.3 (blog post coming soon on how we tackled the upgrade of more than 50 sites to 7.3) the easy first solution will be available to most of you.
PHP >= 7.3
We’ve found that the simplest solution to overcome this issue without having to install any contrib modules or do any custom code is to add the following lines to the site’s settings.php file:
ini_set('session.cookie_secure', 1);
ini_set('session.cookie_samesite', 'None');
However the `session.cookie_samesite` directive is only available in PHP 7.3 or above (https://php.watch/articles/PHP-Samesite-cookies).
This means for older versions of PHP you’ll either have to install a contrib module or set the cookies yourself.
This shouldn’t be a problem for much longer as PHP 7.2 is end of life and people should be updating to 7.3 or above anyway.
PHP < 7.3
If you’re still running an older version of PHP then you could use this Drupal contributed module which basically updates the cookies to have the SameSite flag set to None:
https://www.drupal.org/project/cookie_samesite_support
The alternative is to create a custom solution similar to that of the module above.