Cross-site cookies in Canvas LMS

[Waleed-Ramadan]

i have an issue with canvas it gives me an error page right after I submit any quiz and when I check the browser developer tools it said that i have to Mark cross-site cookies as Secure to allow setting them in cross-site contexts so how to enable cross-site cookies in Canvas LMS to enable SameSite=None and also secure attribute

i tried to add these lines below to this file /opt/bitnami/apache2/conf but it doesn't work

Header always edit Set-Cookie (.*) "$1; SameSite=strict" after I added the command canvas keep asking me for credentials and I can't log in

and i tried also this command: Header set Set-Cookie HttpOnly;Secure;SameSite=Strict it gives me authentication token failure and I can't log in with my credentials

Any help!

thanks in advance

[JortPolderdijk]

Hi @Waleed-Ramadan! You should change the config/session_store.yml (see https://github.com/instructure/canvas-lms/blob/master/config/session_store.yml.example) configuration file and make sure the secure: true option is uncommented for the environment you use (development/production)

[Waleed-Ramadan]

thanks for your reply,

I uncommented the secure: true in the config and I restarted the service but unfortunately i still receive an issue as below:

Cookies marked with SameSite=None must also be marked with Secure to allow setting them in a cross-site context. This behavior protects user data from being sent over an insecure connection. Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute. Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests.

[jvdm]

@JortPolderdijk I have a related issue but slightly different because LTI 1.3. launches with IFrames is the trigger. Maybe the same root cause, though.