Opened 4 years ago
Last modified 4 years ago
#31934 closed Cleanup/optimization
SESSION_COOKIE_SAMESITE - document that unsetting "SameSite" has defaults in some browsers — at Version 1
| Reported by: | אורי | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | אורי | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
SESSION_COOKIE_SAMESITE is documented (in Django 3.1) with the options 'Strict', 'Lax', 'None' and False. However, False means cookies will be sent without SameSite, which means some browsers (Chrome, Dolphin) will give it default such as 'Lax', which is different than what used to be in the past. I think this default should be documented in all active versions of Django. Maybe it's also better to add that using False is not recommended.
Also, document that with Chrome, if you use 'None' the cookie must be secure.
Note:
See TracTickets
for help on using tickets.