Further to my comment above, I've since ditched the idea of extending the session class and have instead added the samesite cookie attribute to my core system file. I know this is terrible practice but it was less messy than extending the session class, and I'm hoping the samesite attribute is included in a future patch/version, therefore rendering my change temporary.
I did this by modifying line 163 in /system/libraries/Session/Session.php from:
PHP Code:
setcookie(
$this->_config['cookie_name'],
session_id(),
(empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
$this->_config['cookie_path'],
$this->_config['cookie_domain'],
$this->_config['cookie_secure'],
TRUE
);
to
PHP Code:
setcookie(
$this->_config['cookie_name'],
session_id(),
[
'expires' => (empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
'path' => $this->_config['cookie_path'],
'domain' => $this->_config['cookie_domain'],
'secure' => $this->_config['cookie_secure'],
'httponly' => TRUE,
'samesite' => 'Lax',
]
);
Really the samesite attribute should be configurable rather than hardcoded, and again I realise
changing core system files is generally not acceptable. In our case I just want to set this attribute with as little fuss as possible, and hope for a more permanent solution in the future.
Note: The above also assumes you are on PHP 7.3 or higher.