Regression in Set-Cookie which affects Django users

[אורי‎]

Django developers,

I just created issue #31933:

It seems that there is a regression in Set-Cookie in browsers such as Chrome and Dolphin, which affects Django users. SESSION_COOKIE_SAMESITE = None does not work any more with those browsers. This affects all versions of Django, and especially where it's not possible to explicitly set cookies to SameSite=None (Django <= 3.0).

You can read about it in the following links:

Cookies default to SameSite=Lax
Reject insecure SameSite=None cookies

You can see more information in the question I just asked on Stack Overflow.

I think it should be made possible to explicitly set cookies to SameSite=None, also in settings such as SESSION_COOKIE_SAMESITE, and backport it to all working versions of Django.

אורי

u...@speedy.net

[Adam Johnson]

Hi Uri

You implied it, but to make it explicit - Django 3.1 allows setting the value "None" (string) for samesite cookies: https://docs.djangoproject.com/en/dev/releases/3.1/#django-contrib-sessions . Essentially you're asking for a backport of this feature.

I think a backport is probably reasonable if sites are broken. You didn't write in your ticket in what way SameSite=Lax breaks your sites - can you explain the use cases you need SameSite=None for?

It's also possible to workaround this by using a middleware that's earlier in MIDDLEWARE than e.g. SessionMiddleware to mutate the cookie in response.cookies . The cookie object can have its samesite flag changed with the update() method:

>>> from django.http import HttpResponse
>>> resp = HttpResponse()
>>> resp.set_cookie('foo', 'bar', samesite='Lax')
>>> resp.cookies['foo']
<Morsel: foo=bar; Path=/; SameSite=Lax>
>>> resp.cookies['foo'].update({"samesite": "None"})
>>> resp.cookies["foo"]
<Morsel: foo=bar; Path=/; SameSite=None>

Hope that helps,

Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeFnd0p5WmaLsePKzbeO_pR4xrZ5cE7%2BVgfhzHyjgB7uTw%40mail.gmail.com.

--

Adam

[Mariusz Felisiak]

We decided that it's a new feature that will not be backported to Django 3.0, see #30862, and discussion in ​PR (with few simple workarounds).

Best,
Mariusz

[Adam Johnson]

(The workaround is in this comment: https://github.com/django/django/pull/11894#issuecomment-577681440 , and if you want, a package: https://github.com/jotes/django-cookies-samesite )

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/8d09195c-b15a-4d1c-9f5c-277b5af2df3cn%40googlegroups.com.

--

Adam

[אורי‎]

On Sat, Aug 22, 2020 at 9:34 PM Adam Johnson <m...@adamj.eu> wrote:

Hi Uri

You implied it, but to make it explicit - Django 3.1 allows setting the value "None" (string) for samesite cookies: https://docs.djangoproject.com/en/dev/releases/3.1/#django-contrib-sessions . Essentially you're asking for a backport of this feature.

Yes. But this may also affect other settings such as CSRF_COOKIE_SAMESITE.

You can also see this answer on Stack Overflow.

 

I think a backport is probably reasonable if sites are broken. You didn't write in your ticket in what way SameSite=Lax breaks your sites - can you explain the use cases you need SameSite=None for?

It is explained on Stack Overflow:

https://stackoverflow.com/questions/63538073/set-cookie-is-not-working-in-chrome-and-dolphin-with-two-websites 

https://stackoverflow.com/questions/59298548/set-cookie-is-not-working-in-chrome-with-two-websites 

אורי.

[אורי‎]

On Sat, Aug 22, 2020 at 9:48 PM Mariusz Felisiak <felisiak...@gmail.com> wrote:

We decided that it's a new feature that will not be backported to Django 3.0, see #30862, and discussion in PR (with few simple workarounds).

These decisions were probably before the breaking changes in Chrome.

https://www.chromestatus.com/feature/5088147346030592 

https://www.chromium.org/updates/same-site 

אורי.

[אורי‎]

On Sat, Aug 22, 2020 at 10:07 PM Adam Johnson <m...@adamj.eu> wrote:

(The workaround is in this comment: https://github.com/django/django/pull/11894#issuecomment-577681440 , and if you want, a package: https://github.com/jotes/django-cookies-samesite )

Thank you. I was not aware of this package and middleware.

אורי.

[אורי‎]

Hi,

I looked at it and I think PR #11894 should be backported to all working versions of Django. It doesn't look like it will introduce new bugs or regressions. All I need is these 2 lines:

		if samesite.lower() not in ('lax', 'strict'):
		raise ValueError('samesite must be "lax" or "strict".')
		if samesite.lower() not in ('lax', 'none', 'strict'):
		raise ValueError('samesite must be "lax", "none", or "strict".')

And the relevant documentation. This will allow setting cookies explicitly to SameSite=None. Since Django 2.2 should be supported until 2022, I think it makes sense to backport it to Django 2.2 and 3.0.

אורי

u...@speedy.net

On Sat, Aug 22, 2020 at 9:48 PM Mariusz Felisiak <felisiak...@gmail.com> wrote:

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/8d09195c-b15a-4d1c-9f5c-277b5af2df3cn%40googlegroups.com.

[Mariusz Felisiak]

It's not about the number of lines but about our backporting policy. We don't backport new features. Moreover Django 2.2 and 3.0 are in extended support. Per our backporting policy this means it doesn't qualify for a backport.

> These decisions were probably before the breaking changes in Chrome.

We were aware of them.

Best,
Mariusz

[אורי‎]

On Sun, Aug 23, 2020 at 8:19 AM Mariusz Felisiak <felisiak...@gmail.com> wrote:

It's not about the number of lines but about our backporting policy. We don't backport new features. Moreover Django 2.2 and 3.0 are in extended support. Per our backporting policy this means it doesn't qualify for a backport.

  OK, I will try to fork Django and backport it myself. Thank you.

אורי

u...@speedy.net

[Hanne Moa]

django-cookie-samesite has a browser version guesser, because
different browsers interpret samesite differently.

The best solution I've heard of is setting two cookies with two
different names, one the old way and one the google way. Then check
for both where checking needs done, one of them being a fallback.

> --
> You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeGTtzHQMrsB%3Dc%3DHBeymNxWFJc1En9vqj%3DF1HEtO5P0odA%40mail.gmail.com.