Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Drupal.

  1. In settings.php, configure the session cookie:

    ini_set('session.cookie_samesite', 'Lax');

  2. For Drupal 9+, add to settings.php:

    $settings['session_handler_class'] = '\Drupal\Core\Session\SessionHandler';

  3. SameSite is set to Lax by default in Drupal 9.3+. Verify you are running a supported version and the setting has not been overridden.

Back to top