SESSION_COOKIES_SAMESITE has to be 'strict' or 'lax'

[hazymoon22]

• django-cookies-samesite version: 0.5
• Django version: 2.2.7
• Python version: 3.7
• Operating System: Linux

Description

Chrome now explicitly want us to set the SameSite = "None" to use cross domain cookies.
Django version 2.2.7 does not allow for SESSION_COOKIES_SAMESITE = "None".

What I Did

Install django-cookies-samesite with: pip install django-cookies-samesite
Add this on top of MIDDLEWARE: 'django_cookies_samesite.middleware.CookiesSameSite'
Set SESSION_COOKIES_SAMESITE = "None" in settings.py
Deploy the app with Docker

Result

Encountered this error when access to the webapp:
ValueError: samesite must be "lax" or "strict".

[jotes]

@fuih Hey,
It looks like Django produces that error because it uses the same setting and that creates a conflict.
A potential workaround for this problem is to use different names for those conflicting settings.

[estianross]

Is a fix for this on the way?

[jotes]

Yup, it will be released today.

…

On Thu, 19 Mar 2020 at 06:33, Estian Rosslee ***@***.***> wrote: Is a fix for this on the way? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#19 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACDAYTBXXKEWJVTL6PP72HTRIGVELANCNFSM4LODSQVQ> .

-- Kind regards Jarek "jotes" Śmiejczak, a python programmer by day, a mozillian by heart... Homepage: http://jotes.work, Github: http://github.com/jotes Mobile: +48693027040, Mozillian: http://mozillians.org/u/jotes

[jotes]

@fuih Hey,
Can you download the latest release (0.5.1) and add the following setting:

DCS_SESSION_COOKIES_SAMESITE = 'none'

and tell me if that fixed your problem?

[hazymoon22]

@jotes
After i did as the instructions, django no longer throws the error anymore. But since Chrome now required Samesite = "None" has to come with Secure = True in order to use cross domain cookies and i don't have https implemented, i can't test if the package work or not, sorry about that.

[jotes]

@fuih Don't worry :-) I'm going to close this issue then, because the workaround seems to work.