SameSite not being set on sessionid

Question

SameSite not being set on sessionid

Closed this issue 7 years ago · 2 comments

django-cookies-samesite version: 0.1.2
Django version: 1.11.13
Python version: 2.7.10
Operating System: MacOS

Description

First of all, thanks for sharing this <3

I've added the middleware and this to my settings file as per the docs:

SESSION_COOKIE_SAMESITE = 'Lax'
SESSION_COOKIE_SAMESITE_KEYS = ['sde-csrftoken']

It seems the SameSite flag is only being set on keys in SESSION_COOKIE_SAMESITE_KEYS and not on sessionid.

See screenshot:

PS: You should add a license to this project :)

Answer 1 · 2018-06-24T00:18:39.000Z

Hi @Gee19!

I tried to reproduce your error on my local machine and there's only one scenario that comes to my mind.

Could you check the order of middlewares in your project?
django_cookies_samesite.middleware.CookiesSameSite should be above django.contrib.sessions.middleware.SessionMiddleware.

If it's not then middleware will behave as you described and sessionid cookie will not have samesite attribute.

I'm sorry if that wasn't clearly described in the Readme.

Answer 2 · 2018-06-26T15:39:13.000Z

This solved my issue :) Thanks.