Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#31933 closed Bug (wontfix)

Regression in Set-Cookie which affects Django users

Reported by: אורי Owned by: nobody
Component: HTTP handling Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

It seems that there is a regression in Set-Cookie in browsers such as Chrome and Dolphin, which affects Django users. SESSION_COOKIE_SAMESITE = None does not work any more with those browsers. This affects all versions of Django, and especially where it's not possible to explicitly set cookies to SameSite=None (Django <= 3.0).

You can read about it in the following links:

You can see more information in the question I just asked on Stack Overflow.

I think it should be made possible to explicitly set cookies to SameSite=None, also in settings such as SESSION_COOKIE_SAMESITE, and backport it to all working versions of Django.

Change History (2)

comment:1 Changed 2 years ago by Mariusz Felisiak

Component: Core (Other)HTTP handling
Resolution: wontfix
Status: newclosed

We decided that it's a new feature that will not be backported to Django 3.0, see #30862, and discussion in PR.

comment:2 in reply to:  1 Changed 2 years ago by אורי

Replying to felixxm:

We decided that it's a new feature that will not be backported to Django 3.0, see #30862, and discussion in PR.

These decisions were probably before the breaking changes in Chrome.

Django 2.2 and 3.0 still have long time to live (until 2022) and the changes in Chrome, Dolphin and possibly other browsers will break this setting (SESSION_COOKIE_SAMESITE = None or CSRF_COOKIE_SAMESITE = None will not work as expected).

Last edited 2 years ago by אורי (previous) (diff)
Note: See TracTickets for help on using tickets.
Back to Top