Currently, if not in debug mode, HTTP cookies have SameSite set to None; Secure. However, Lax is the current suggested default, both from Django and from major web browsers. The dlab use case for None has been removed, and if we need to set cookies with None in the future, we can make exceptions, but it should not be the global default.
So, to solve this issue:
update django to use Lax instead of None in prod environments (leave the if not DEBUG conditional alone)
ensure local dev environments don't break
ensure production environments don't break
This is a bit open ended - I'm not sure what problems may occur here. So please make sure to test as many actions as possible that involve cookies (e.g. log in and log out, actions which require being logged in like create a project, edit a project, update a user profile, etc) -- and if you have any specific information on other security settings we should look at, please tell me so.
@Ulyssia Hi, I'm helping with development focus for DemocarcyLab. We've created a DemocracyLab Dashboard and would like to update the status of this issue.
Are you still working on it? If so, what are the next steps, or what challenges are there to moving forward?
Or is this still an issue/should we close it?
Or, if you just aren't available to work on it anymore, please let me know, and/or unassign yourself
https://github.com/DemocracyLab/CivicTechExchange/blob/17ab670975f9bfa0de8f5b033eaccdc92e9d3a96/democracylab/settings.py#L377-L379
Currently, if not in debug mode, HTTP cookies have SameSite set to
None; Secure
. However,Lax
is the current suggested default, both from Django and from major web browsers. The dlab use case for None has been removed, and if we need to set cookies with None in the future, we can make exceptions, but it should not be the global default.So, to solve this issue:
This is a bit open ended - I'm not sure what problems may occur here. So please make sure to test as many actions as possible that involve cookies (e.g. log in and log out, actions which require being logged in like create a project, edit a project, update a user profile, etc) -- and if you have any specific information on other security settings we should look at, please tell me so.
Django docs: