search

rails / activerecord-session_store

Active Record's Session Store extracted from Rails
MIT License
541 stars 188 forks source link

SameSite attribute missing in cookies #214

Open luma7 opened 2 months ago

luma7 commented 2 months ago

Hi, after migrating some application with activerecord-session_store from Rails 6.1.7 to 7.1.3.4, the SameSite attribute is missing in cookies:

curl -v http://localhost:3000
...
< set-cookie: _cta_session=9f0ec74db42eb11e0434f81fc257c348; path=/; httponly
...

I was expecting "SameSite=Lax" which is the default for Rails applications according to https://guides.rubyonrails.org/configuring.html#config-action-dispatch-cookies-same-site-protection:

< set-cookie: _cta_session=9f0ec74db42eb11e0434f81fc257c348; path=/; httponly; SameSite=Lax

It's the same issue with versions 2.0.0 and 2.1.0 of activerecord-session_store, and it's working with https://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html.

Steps to reproduce:

rails new cookies_test_app
cd cookies_test_app
rails generate controller Some

// app/controllers/some_controller.rb:
class SomeController < ApplicationController
  def index
    session[:something] = true
    render plain: "hi there"
  end
end

// add to config/routes.rb:
root "some#index"

// add to Gemfile:
gem 'activerecord-session_store'

// execute migrations
rails db:migrate

// config/session_store.rb:
CookiesTestApp::Application.config.session_store :active_record_store, key: '_cta_session', secure: Rails.env.production?

And then see "set-cookie" in the result of "curl -v http://localhost:3000".