SameSite Cookie with Python/Django and the Embedded App SDK

Solved
Highlighted
Shopify Partner
7 0 0

My embedded app is running on Django 3.0 and I use the embedded app SDK to make sure the pages are embedded in the admin panel.

 

I use the following Django settings for the new Chrome SameSite=None and Secure requirements:

 

SESSION_COOKIE_SAMESITE = None
CSRF_COOKIE_SAMESITE = None
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SESSION_SAVE_EVERY_REQUEST = True

However, when I test this using chrome://flags/ test settings my app doesn't redirect to my app homepage after authenticating. It creates a new session for a shop but in the last step it doesn't redirect to the homepage.


Also, for a lot of cookies in the Chrome Inspect > Application > Cookies only one single cookie shows Secure and SameSite=None, all other cookies are missing SameSite=None and some don't even show the checkmark for Secure.

 

I was wondering if anyone here ran into the same issue and found a solution?

 

0 Likes
Highlighted

Success.

Shopify Partner
1 1 0

By setting:

SESSION_COOKIE_SAMESITE = None 

Django ignores it. 

 

It should be:

SESSION_COOKIE_SAMESITE = 'None' # as a string

However this throws an error. Django have fixed this in the development version (3.1) but that isn't due to be released until August. 

 

I wrote some middleware to get around this issue (tested in Django 3.0.3):

from django.utils.deprecation import MiddlewareMixin


class SameSiteMiddleware(MiddlewareMixin):
    def process_response(self, request, response):
        if 'sessionid' in response.cookies:
                response.cookies['sessionid']['samesite'] = 'None'
        if 'csrftoken' in response.cookies:
                response.cookies['csrftoken']['samesite'] = 'None'
        return response

settings.py

MIDDLEWARE = [
    '<app name>.middleware.SameSiteMiddleware', # position it at the top
    ...
]

SESSION_COOKIE_SAMESITE = None
CSRF_COOKIE_SAMESITE = None
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SESSION_SAVE_EVERY_REQUEST = True

 

Hope this helps,

Matt

 

Edit: make sure you delete the existing sessionid cookie in browser when testing.

0 Likes
Shopify Partner
7 0 0

Fantastic! Thanks for your response Matt, I'll try this out.

0 Likes