Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Django - check cookies's "SameSite" attribute

In my Django application, I want to check if a specific cookies has "SameSite=None" or not.

I'm using this code to read the value of the cookies,

cookiesid = request.COOKIES["cookiesid"]

However, I don't know how to check "SameSite" attribute, seems there is no method to check it by request.COOKIES[""]

How can I check it?

I'm using Python 3.6.9 and Django 3.1

like image 680
user3114168 Avatar asked Aug 25 '20 09:08

user3114168


2 Answers

I've also been having issues with cross-domain Cookies recently, and I've tracked it down to Google Chrome gradually rolling out their security update that forces the SameSite attribute to Lax if it isn't set

Lax means that the Cookie is going to be blocked cross-domain by default on Google Chrome

Given that you're inspecting the Cookie's attributes in the code, I think that if the SameSite attribute isn't there, than you're not setting it and therefore Google Chrome is forcing the attribute to Lax

As you've stated you're using Django 3.1, the following four entries in your settings.py file might resolve your issue (as it did for me):

CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'

Good luck!

like image 72
LouieC Avatar answered Oct 21 '22 03:10

LouieC


Going a little bit deeper.

  1. In production set:
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'
  1. Do not set any of the above flags in development. It will say that cannot set the cookie with SameSite=None if the connection is NOT secure.

Also make sure that you have Django 3, in Django 2 there is a bug and it will output a ValueError.

like image 31
juan Isaza Avatar answered Oct 21 '22 05:10

juan Isaza