Opened 5 years ago

Closed 5 years ago

#31145 closed Uncategorized (invalid)

Session cookie has always the "SameSite=Lax" header.

Reported by: jET Owned by: nobody
Component: contrib.sessions Version: 3.0
Severity: Normal Keywords: SameSite
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When I use requests test loginView, return 302 and response header set-cookie , in sessionid line, there are always have a "SameSite=Lax," before sessionid string. This causes client cookies parser problem。

{set-cookie: csrftoken=dsEtx2CP6rX5bhIbRmkTOv5LmciytID5t6ShQbgNMTALTnhCoXdxWQ1TcAzxQoDO; expires=Wed, 06 Jan 2021 17:01:00 GMT; Max-Age=31449600; Path=/; SameSite=Lax,sessionid=2rtrkbnhc8m30iqs7sw4em014hr6a3ss; expires=Wed, 22 Jan 2020 17:01:00 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax, location: /, cache-control: max-age=0, no-cache, no-store, must-revalidate, private, date: Wed, 08 Jan 2020 17:01:00 GMT, vary: Cookie, content-length: 0, x-frame-options: DENY, content-type: text/html; charset=utf-8, x-content-type-options: nosniff, server: WSGIServer/0.2 CPython/3.7.6, expires: Wed, 08 Jan 2020 17:01:00 GMT}

Change History (1)

comment:1 by Mariusz Felisiak, 5 years ago

Component: Uncategorizedcontrib.sessions
Resolution: invalid
Status: newclosed
Summary: There always has a "SameSite=Lax" string with sessionid in response header like " SameSite=Lax,sessionid=2rtrkbnhc8m30iqs7sw4em014hr6a3ss"Session cookie has always the "SameSite=Lax" header.

Lax is a default value, you can change it with the SESSION_COOKIE_SAMESITE setting.

Please don't use Trac as a support channel.

Closing per TicketClosingReasons/UseSupportChannels.

Note: See TracTickets for help on using tickets.
Back to Top