--- title: "Drupal session cookie attributes" date: "2022-03-14T22:12:06+00:00" summary: image: type: "article" url: "/acquia-cloud-platform/help/94386-drupal-session-cookie-attributes" id: "59744af0-aa3c-4e9c-8de8-1aed8c3db13f" --- We are often asked for help troubleshooting attributes of Drupal's sessions cookies. The good news is that Drupal generally does a good job on this front, and it's seldom necessary to alter the default settings. ### What are the _HttpOnly_ and _Secure_ attributes on (session) cookies? > A _secure_ cookie is only sent to the server with an encrypted request over the HTTPS protocol. > To help mitigate cross-site scripting (X) attacks, _HttpOnly_ cookies are inaccessible to JavaScript... they are only sent to the server. [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#the\_set-cookie\_and\_cookie\_headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#the_set-cookie_and_cookie_headers) ### Drupal always sets the _HttpOnly_ attribute on its session cookies D7: [https://git.drupalcode.org/project/drupal/blob/7.x/includes/bootstrap.inc#L693](https://git.drupalcode.org/project/drupal/blob/7.x/includes/bootstrap.inc#L693) D8: [https://git.drupalcode.org/project/drupal/blob/8.8.x/core/lib/Drupal/Core/DrupalKernel.php#L999](https://git.drupalcode.org/project/drupal/blob/8.8.x/core/lib/Drupal/Core/DrupalKernel.php#L999) D9: [https://git.drupalcode.org/project/drupal/-/blob/9.4.x/core/lib/Drupal/Core/DrupalKernel.php#L995](https://git.drupalcode.org/project/drupal/-/blob/9.4.x/core/lib/Drupal/Core/DrupalKernel.php#L995) There should be no need to alter this configuration, e.g. in settings.php ### Drupal will set the _Secure_ attribute on session cookies when the site is being accessed via https D7: [https://git.drupalcode.org/project/drupal/blob/7.x/includes/bootstrap.inc#L821](https://git.drupalcode.org/project/drupal/blob/7.x/includes/bootstrap.inc#L821) D8: [https://git.drupalcode.org/project/drupal/blob/8.8.x/core/lib/Drupal/Core/Session/SessionConfiguration.php#L37](https://git.drupalcode.org/project/drupal/blob/8.8.x/core/lib/Drupal/Core/Session/SessionConfiguration.php#L37) D9: [https://git.drupalcode.org/project/drupal/-/blob/9.4.x/core/lib/Drupal/Core/Session/SessionConfiguration.php#L45](https://git.drupalcode.org/project/drupal/-/blob/9.4.x/core/lib/Drupal/Core/Session/SessionConfiguration.php#L45) **Therefore, if the site is being accessed via https session cookies will typically have both the _HttpOnly_ and _Secure_ attribute set.** ### Common pitfalls When testing session cookie attributes, accessing the site over plain http will result in the secure attribute not being set on the session cookie. In addition, browsers will not send a _Secure_ cookie with a (non-secure) plain http request. Examining the PHP cookie settings in php.ini or phpinfo() will not reflect the settings Drupal uses as it manages these settings for itself as per the code examples above. ### Recommended testing approach It's best to use a browser's developer tools to examine the attributes of Drupal's session cookie once you have logged in to the site (over https if you're hoping to see the _Secure_ attribute set) ![Browser window showing a Drupal admin configuration page, with developer tools open, displaying cookie storage and detailed cookie information.](https://acquia.widen.net/content/a1da83ec-bbfa-4e9f-89ea-c18abe79ccb6/web/ka06g000001twd300N6g00000VCdgi0EM6g000002Wyd4.png) Warning: "mixed mode" Versions of Drupal before 8 had an option sometimes referred to as "mixed mode" for sessions whereby there are two sessions cookies, one for secure and one for non-secure. In this case the non-secure cookie will not have the _secure_ attribute set. This option doesn't have a very descriptive name in settings: settings.php: $conf['https'] = 1; ...which sometimes leads to confusion; it's not obvious what putting this in settings.php will actually do. See the [docs on mixed mode](https://www.drupal.org/https-information#drupal-config). This option was removed in Drupal 8, and there's seldom a good reason to use it.