#31933 closed Bug (wontfix)
Regression in Set-Cookie which affects Django users
Reported by: | אורי | Owned by: | nobody |
---|---|---|---|
Component: | HTTP handling | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
It seems that there is a regression in Set-Cookie
in browsers such as Chrome and Dolphin, which affects Django users. SESSION_COOKIE_SAMESITE = None
does not work any more with those browsers. This affects all versions of Django, and especially where it's not possible to explicitly set cookies to SameSite=None
(Django <= 3.0).
You can read about it in the following links:
You can see more information in the question I just asked on Stack Overflow.
I think it should be made possible to explicitly set cookies to SameSite=None
, also in settings such as SESSION_COOKIE_SAMESITE
, and backport it to all working versions of Django.
Change History (2)
follow-up: 2 comment:1 by , 4 years ago
Component: | Core (Other) → HTTP handling |
---|---|
Resolution: | → wontfix |
Status: | new → closed |
comment:2 by , 4 years ago
Replying to felixxm:
We decided that it's a new feature that will not be backported to Django 3.0, see #30862, and discussion in PR.
These decisions were probably before the breaking changes in Chrome.
Django 2.2 and 3.0 still have long time to live (until 2022) and the changes in Chrome, Dolphin and possibly other browsers will break this setting (SESSION_COOKIE_SAMESITE = None
or CSRF_COOKIE_SAMESITE= None
will not work as expected).
We decided that it's a new feature that will not be backported to Django 3.0, see #30862, and discussion in PR.