Logo Knowledge
  • Product Documentation
  • Insight
  • Developer Center
  • Training
  • Submit a Request
  • Product Documentation
  • Insight
  • Developer Center
  • Training
  • Submit a Request
  1. Acquia Support Knowledge Base
  2. Troubleshooting
  3. Common Problem

Drupal session cookie attributes

    See more
    • Updated
    • October 29, 2020 19:28

    We are often asked for help troubleshooting attributes of Drupal's sessions cookies. The good news is that Drupal generally does a good job on this front, and it's seldom necessary to alter the default settings.

    What are the HttpOnly and Secure attributes on (session) cookies?

    A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.
    To help mitigate cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript... they are only sent to the server.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies

    Drupal always sets the HttpOnly attribute on its session cookies

    D7: https://git.drupalcode.org/project/drupal/blob/7.x/includes/bootstrap.inc#L693

    D8: https://git.drupalcode.org/project/drupal/blob/8.8.x/core/lib/Drupal/Core/DrupalKernel.php#L999

    There should be no need to alter this configuration, e.g. in settings.php

    Drupal will set the Secure attribute on session cookies when the site is being accessed via https

    D7: https://git.drupalcode.org/project/drupal/blob/7.x/includes/bootstrap.inc#L821

    D8: https://git.drupalcode.org/project/drupal/blob/8.8.x/core/lib/Drupal/Core/Session/SessionConfiguration.php#L37

    Therefore, if the site is being accessed via https session cookies will typically have both the HttpOnly and Secure attribute set.

    Common pitfalls

    When testing session cookie attributes, accessing the site over plain http will result in the secure attribute not being set on the session cookie. In addition, browsers will not send a Secure cookie with a (non-secure) plain http request.

    Examining the PHP cookie settings in php.ini or phpinfo() will not reflect the settings Drupal uses as it manages these settings for itself as per the code examples above.

    Recommended testing approach

    It's best to use a browser's developer tools to examine the attributes of Drupal's session cookie once you have logged in to the site (over https if you're hoping to see the Secure attribute set)

    session cookie attributes in a browser's developer tools
    session cookie attributes in a browser's developer tools

    Warning: "mixed mode"

    Versions of Drupal before 8 had an option sometimes referred to as "mixed mode" for sessions whereby there are two sessions cookies, one for secure and one for non-secure. In this case the non-secure cookie will not have the secure attribute set.

    This option doesn't have a very descriptive name in settings:

    settings.php:    $conf['https'] = 1;

    ...which sometimes leads to confusion; it's not obvious what putting this in settings.php will actually do.

    See the docs on mixed mode. This option was removed in Drupal 8, and there's seldom a good reason to use it.

    Avatar
    Drew Webber
    • October 29, 2020 19:28
    • Updated
    • Facebook
    • Twitter
    • LinkedIn

    Was this article helpful?
    2 out of 4 found this helpful

    Return to top

    Related articles

    • Find the session ID of your current Drupal login.
    • Is there a Drupal function to check if the user is logged in?
    • Using CORS in Drupal 8 with Varnish may lack some Access-Control-Allow-* headers
    • Upgrading from PHP 7.2 to 7.3
    • Fast Track to Drupal 8 Coding

    Support

    Acquia Support Knowledge Base
    • Submit a Request
    • Contact Support
    • Acquia Support Guide
    • Product Documentation
    • System Status

    About Acquia

    • About Us
    • Leadership
    • Board of directors
    • Newsroom
    • Careers
    • Customers
    • Contact Us
    53 State Street, 10th Floor
    Boston, MA 02109
    United States
    Phone: 888-922-7842
    Map: Google Maps
    View other locations
    • Feeds
    • Legal
    • Security Issue?

    Copyright © 2018 Acquia Inc. All Rights Reserved. Drupal is a registered trademark of Dries Buytaert.