Cookie `“g3wclientsessiontoken”` does not have a proper `“SameSite”` attribute value.

[Raruto]

Checklist

• [X] I've searched through the existing issues and this bug has never been reported before

Subject of the issue

Should be fixed in future releases:

Cookie “g3wclientsessiontoken” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Steps to reproduce

• open any demo project

• analyzes cookie settings

Environment

[g3wsdk.info]

• g3w-admin: v3.7.6
• g3w-client: 3.9.5
• browser: Firefox 124.0
• operating system: Windows 10 64-bit

Link to your project

https://v37.g3wsuite.it/it/map/demo-37/

Additional info

No response

[wlorenzetti]

@Raruto test now if is it correct.

[Raruto]

@wlorenzetti nothing has changed for: https://v37.g3wsuite.it/it/map/demo-37/.

If I remember correctly it had been managed in here somehow: portal/apps.py#L17-L31

BTW, I think it could have greater implications (better not to work for it in 3.7/3.8).

[Raruto]

Cookie “g3wclientsessiontoken” will be soon rejected because it has the “SameSite” attribute set to “None” without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Note: A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Note that insecure sites (http:) can't set cookies with the Secure directive, and therefore can't use SameSite=None.

@wlorenzetti ref: https://github.com/g3w-suite/g3w-admin/pull/793