My embedded app is running on Django 3.0 and I use the embedded app SDK to make sure the pages are embedded in the admin panel.
I use the following Django settings for the new Chrome SameSite=None and Secure requirements:
SESSION_COOKIE_SAMESITE = None CSRF_COOKIE_SAMESITE = None SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True SESSION_SAVE_EVERY_REQUEST = True
However, when I test this using chrome://flags/ test settings my app doesn't redirect to my app homepage after authenticating. It creates a new session for a shop but in the last step it doesn't redirect to the homepage.
Also, for a lot of cookies in the Chrome Inspect > Application > Cookies only one single cookie shows Secure and SameSite=None, all other cookies are missing SameSite=None and some don't even show the checkmark for Secure.
I was wondering if anyone here ran into the same issue and found a solution?
Solved! Go to the solution
This is an accepted solution.
SESSION_COOKIE_SAMESITE = None
Django ignores it.
It should be:
SESSION_COOKIE_SAMESITE = 'None' # as a string
However this throws an error. Django have fixed this in the development version (3.1) but that isn't due to be released until August.
I wrote some middleware to get around this issue (tested in Django 3.0.3):
from django.utils.deprecation import MiddlewareMixin class SameSiteMiddleware(MiddlewareMixin): def process_response(self, request, response): if 'sessionid' in response.cookies: response.cookies['sessionid']['samesite'] = 'None' if 'csrftoken' in response.cookies: response.cookies['csrftoken']['samesite'] = 'None' return response
MIDDLEWARE = [ '<app name>.middleware.SameSiteMiddleware', # position it at the top ... ]
SESSION_COOKIE_SAMESITE = None
CSRF_COOKIE_SAMESITE = None
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SESSION_SAVE_EVERY_REQUEST = True
Hope this helps,
Edit: make sure you delete the existing sessionid cookie in browser when testing.
This solution didn't work for me in a later version on django, but I did something similar.
I created a middleware:
from django.conf import settings
from django.contrib.sessions.middleware import SessionMiddleware
def process_response(self, request, response):
response = super(SessionMiddleware, self).process_response(request, response)
if settings.SESSION_COOKIE_NAME in response.cookies:
response.cookies[settings.SESSION_COOKIE_NAME]['samesite'] = 'None'
if settings.CSRF_COOKIE_NAME in response.cookies:
response.cookies[settings.CSRF_COOKIE_NAME]['samesite'] = 'None'
Then I replaced the default magento 'django.contrib.sessions.middleware.SessionMiddleware' in settings.py with 'my_app.middleware.SessionMiddleware'
thank you for your suggestion
i did exactly the same in django 2.2 but it dosn't work as expected in facte CSRF_COOKIE_NAME take the value "None " in middleware but the problem is that the GET request is performed before the execution of the middleware :
1 ) samesite<AsgiRequest: GET '/test'> ( print in the view )
2) SessionMiddleware CSRF_COOKIE_NAME = None ( print in the middleware )
hence the csrftoken cookie keep the default value in the navigator
thanks to the previous answers this is what worked for me
1) in your setting.py
a) add the samesite parameters
CSRF_COOKIE_SAMESITE = None CSRF_COOKIE_SECURE = True
b) add reference to the middleware you will create in step 2
MIDDLEWARE = [ 'myapp.middleware.SameSiteMiddleware',
2) create the middleware that will override the None value to be " None"
in your app folder ( myapp ) create a file named middleware.py with the followning code :
from django.utils.deprecation import MiddlewareMixin class SameSiteMiddleware(MiddlewareMixin): def process_response(self, request, response):
if 'csrftoken' in response.cookies: response.cookies['csrftoken']['samesite'] = 'None' return response
don't hesitate to replay if you have a problem or error