ValueError: samesite must be "lax" or "strict".

[charklewis]

• django-cookies-samesite version: 0.8.0
• Django version: 2.2.19
• Python version: 3.9.0
• Operating System: MacOS 11.2.3

Description

The middleware doesn't appear to be working. I continue to get the samesite must be "lax" or "strict". error.

What I Did

I have added the middleware to the top of my middleware however it continues to crash. It appears that the middleware is not being used. I have tried ordering my middleware different however nothing seems to work.

I have created a stack overflow post without any responses that provides more detail: https://stackoverflow.com/questions/66756908/setting-a-cookie-with-samesite-none-on-django-2-2

Traceback (most recent call last):
  File "/Users/my-project/venv/lib/python3.9/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/Users/my-project/venv/lib/python3.9/site-packages/django/utils/deprecation.py", line 96, in __call__
    response = self.process_response(request, response)
  File "/Users/my-project/venv/lib/python3.9/site-packages/django/contrib/sessions/middleware.py", line 66, in process_response
    response.set_cookie(
  File "/Users/my-project/venv/lib/python3.9/site-packages/django/http/response.py", line 201, in set_cookie
    raise ValueError('samesite must be "lax" or "strict".')
ValueError: samesite must be "lax" or "strict".
{"level": "ERROR", "logger": "django.request", "function": "log.log_response", "stack_trace": "Traceback (most recent call last):\n  File \"/Users/my-project/venv/lib/python3.9/site-packages/django/core/handlers/exception.py\", line 34, in inner\n    response = get_response(request)\n  File \"/Users/my-project/venv/lib/python3.9/site-packages/django/utils/deprecation.py\", line 96, in __call__\n    response = self.process_response(request, response)\n  File \"/Users/my-project/venv/lib/python3.9/site-packages/django/contrib/sessions/middleware.py\", line 66, in process_response\n    response.set_cookie(\n  File \"/Users/my-project/venv/lib/python3.9/site-packages/django/http/response.py\", line 201, in set_cookie\n    raise ValueError('samesite must be \"lax\" or \"strict\".')\nValueError: samesite must be \"lax\" or \"strict\".", "message": "Internal Server Error: /favicon.ico\nTraceback (most recent call last):\n  File \"/Users/my-project/venv/lib/python3.9/site-packages/django/core/handlers/exception.py\", line 34, in inner\n    response = get_response(request)\n  File \"/Users/my-project/venv/lib/python3.9/site-packages/django/utils/deprecation.py\", line 96, in __call__\n    response = self.process_response(request, response)\n  File \"/Users/my-project/venv/lib/python3.9/site-packages/django/contrib/sessions/middleware.py\", line 66, in process_response\n    response.set_cookie(\n  File \"/Users/my-project/venv/lib/python3.9/site-packages/django/http/response.py\", line 201, in set_cookie\n    raise ValueError('samesite must be \"lax\" or \"strict\".')\nValueError: samesite must be \"lax\" or \"strict\".", "hostname": null}

My middleware and settings are configured in a common.py file:

# some settings...

MIDDLEWARE = (
    'django_cookies_samesite.middleware.CookiesSameSite',
    "django_middleware_global_request.middleware.GlobalRequestMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    "django.middleware.locale.LocaleMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
   # and other app specific middleware
)

# some other settings

SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE_FORCE_ALL = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

# other settings

[charklewis]

I have also tried setting DCS_SESSION_COOKIES_SAMESITE = 'none' however it doesn't seem to make a difference.

[jnis77diver]

@charklewis Did you find a resolution for this?

[charklewis]

I did! In the end I wrote a small function to manually apply this to my cookies instead of using a plugin.

def add_samesite_is_none(self, response, name):
        if settings.SESSION_COOKIE_SECURE:
            response.cookies[name]["samesite"] = "None"
        return response