CODEWITHSUNDEEP
python-3.xdjangocookies
user3114168
user3114168

Reputation: 335

Django - check cookies's "SameSite" attribute

In my Django application, I want to check if a specific cookies has "SameSite=None" or not.

I'm using this code to read the value of the cookies,

cookiesid = request.COOKIES["cookiesid"]

However, I don't know how to check "SameSite" attribute, seems there is no method to check it by request.COOKIES[""]

How can I check it?

I'm using Python 3.6.9 and Django 3.1

Upvotes: 14

Views: 17787

Answers (2)

juan Isaza
juan Isaza

Reputation: 3987

Going a little bit deeper.

  1. In production set:
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'
  1. Do not set any of the above flags in development. It will say that cannot set the cookie with SameSite=None if the connection is NOT secure.

Also make sure that you have Django 3, in Django 2 there is a bug and it will output a ValueError.

Upvotes: 15

LouieC
LouieC

Reputation: 708

I've also been having issues with cross-domain Cookies recently, and I've tracked it down to Google Chrome gradually rolling out their security update that forces the SameSite attribute to Lax if it isn't set

Lax means that the Cookie is going to be blocked cross-domain by default on Google Chrome

Given that you're inspecting the Cookie's attributes in the code, I think that if the SameSite attribute isn't there, than you're not setting it and therefore Google Chrome is forcing the attribute to Lax

As you've stated you're using Django 3.1, the following four entries in your settings.py file might resolve your issue (as it did for me):

CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'

Good luck!

Upvotes: 31

Related Questions