Samesite flag not set

[tvlieg]

The samesite flag is not properly set upon creation of a session.

session_opts = {
    ...
    'session.key': 'oncall-auth',
    'session.samesite': 'Lax',
    ...
}
application = SessionMiddleware(application, session_opts)

This results in this cookie:

oncall-auth=<cookie>; httponly; Path=/

After logout (cookie delete) the flag is set:

oncall-auth=<cookie>; expires=Wed, 13-Dec-2017 15:20:35 GMT; httponly; Path=/; SameSite=Lax

This might be caused, because method _set_cookie_values (in session.py) is only called in _update_cookie_out and _delete_cookie. This but renders the samesite cookie useless, so it would be nice if this could be fixed.

[amol-]

What you are trying to do seems the same of what this test does: https://github.com/bbangert/beaker/blob/master/tests/test_cookie_only.py#L305 which verifies that the samesite attribute is set on creation.

Can you provide a quick test that reproduces your issue?

[tvlieg]

You're right! I missed that commit; since I carried out the test with the latest release of beaker, whereas the commit that fixes the bug is not yet in a release. I'll close the issue.

Do you have any insights into when a new release will be issued?

[amol-]

Soon, just forgot about it. I'll make a release in the next 2-3 days.

[amol-]

released 1.10.1