search

signebedi / gita-api

a RESTful Bhagavad Gita API
GNU Affero General Public License v3.0
0 stars 0 forks source link

[bug] Cookie “session” does not have a proper “SameSite” attribute value #109

Closed signebedi closed 8 months ago

signebedi commented 8 months ago

We should set the following config defaults (in production; set SECURE to default to False in all other envs)

    SESSION_COOKIE_SECURE=True,  
    SESSION_COOKIE_SAMESITE='None',

Ref:

signebedi commented 8 months ago

This results in a few issues when running the development server:

When setting secure to True in dev on Firefox:

Cookie “session” has been rejected because a non-HTTPS cookie can’t be set as “secure”.

When setting secure to False in dev on Firefox:

Cookie “session” will be soon rejected because it has the “SameSite” attribute set to “None” without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite