jrmcgarvey
commented
6 months ago Nevermind. It was fixed in Rack here: commit
Open jrmcgarvey opened 6 months ago
jrmcgarvey
commented
6 months ago Nevermind. It was fixed in Rack here: commit
jrmcgarvey
commented
6 months ago 
womblep
commented
6 months ago @jrmcgarvey my original comment was not to close this but I have untangled the spaghetti and think I can see how I can pass it. I will give it a go.
It might be worth leaving it open to update the documentation.
jrmcgarvey
commented
6 months ago @womblep I didn't think I could get the current version of Rails working with the latest Rack, so I did a monkeypatch. Currently Rails and Rack::Session call Rack::Response::Helpers.set_cookie, and that calls ::Rack::Utils.add_cookie_to_header. In the latest Rack, Rack::Response::Helpers.set_cookie calls Rack::Utils.set_cookie_header, so that is the method I fixed.
The monkeypatch was clumsy. It seems like Module.prepend isn't honored when the function is called via ::Rack::Response::Utils.add_cookie_to_header, that is, the reference to the global context, so I had to do a Module.prepend for Rack::Response as well as the one for add_cookie_to_header. Is that the only way to do it?
I can reopen the issue if needed. I don't know how this affects the documentation.
womblep
commented
6 months ago I am using it in Sinatra not Rails so not sure I can help.
The documentation for Rack::Session::Abstract::Persisted has all the cookie parameters listed as well as in the DEFAULT_OPTIONS. Partitioned probably should be included so it is clear in future. However the merge you list above hasn't made it to a gem release yet, I think they are waiting to merge it into Rack 3.1. I tested to the point where it hit set_cookie_header and partitioned was passed so it should all work once they release it.
If you want to reopen this, I can do a documentation update PR which can sit there until rack 3.1 is ready
jrmcgarvey
commented
6 months ago Ok, reopening for documentation purposes.
We use the session cookie to maintain state between a front end and the back end running Rails. The front end and back end are typically running on different hosts. The problem this introduces is that this cookie is a cross site cookie, and browsers are eliminating support for these. The browser vendors are providing a replacement. Cross site cookies will be allowed, so long as they are partitioned. A partitioned cookie is only active for the top level site for which it was originally set. To enable this, one has to be able to set the partitioned flag. See https://developers.google.com/privacy-sandbox/3pcd/chips . This doesn't work for session cookies today, at least in the version of Rails (7.0.4.2) I am running.