Open luma7 opened 2 months ago
Hi, after migrating some application with activerecord-session_store from Rails 6.1.7 to 7.1.3.4, the SameSite attribute is missing in cookies:
curl -v http://localhost:3000 ... < set-cookie: _cta_session=9f0ec74db42eb11e0434f81fc257c348; path=/; httponly ...
I was expecting "SameSite=Lax" which is the default for Rails applications according to https://guides.rubyonrails.org/configuring.html#config-action-dispatch-cookies-same-site-protection:
< set-cookie: _cta_session=9f0ec74db42eb11e0434f81fc257c348; path=/; httponly; SameSite=Lax
It's the same issue with versions 2.0.0 and 2.1.0 of activerecord-session_store, and it's working with https://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html.
Steps to reproduce:
rails new cookies_test_app cd cookies_test_app rails generate controller Some // app/controllers/some_controller.rb: class SomeController < ApplicationController def index session[:something] = true render plain: "hi there" end end // add to config/routes.rb: root "some#index" // add to Gemfile: gem 'activerecord-session_store' // execute migrations rails db:migrate // config/session_store.rb: CookiesTestApp::Application.config.session_store :active_record_store, key: '_cta_session', secure: Rails.env.production?
And then see "set-cookie" in the result of "curl -v http://localhost:3000".
Hi, after migrating some application with activerecord-session_store from Rails 6.1.7 to 7.1.3.4, the SameSite attribute is missing in cookies:
I was expecting "SameSite=Lax" which is the default for Rails applications according to https://guides.rubyonrails.org/configuring.html#config-action-dispatch-cookies-same-site-protection:
< set-cookie: _cta_session=9f0ec74db42eb11e0434f81fc257c348; path=/; httponly; SameSite=Lax
It's the same issue with versions 2.0.0 and 2.1.0 of activerecord-session_store, and it's working with https://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html.
Steps to reproduce:
And then see "set-cookie" in the result of "curl -v http://localhost:3000".