Setting session_id cookie SameSite property in Rails

Question

I am attempting to set the SameSite property in my session's cookie in my Rails 5.0.7.2 application but I am having problems determining where and how to set this up.

It looks like a way of determining the SameSite protection level globally will be introduced in Rails 6.1 see: https://github.com/rails/rails/commit/cd1aeda0a9dc15f09d7bf1b8b59e2ce07946f031. That said, how does one go about setting this in a prior version?

The way SameSite is treated will be changing coming Chrome version 80 and I am attempting to prepare for this, specifically as it relates to:

"Cookies for cross-site usage must specify SameSite=None; Secure to enable inclusion in third party context."

See https://web.dev/samesite-cookie-recipes/ fore more info.

I think it could be done by monkeypatching ActionDispatch::Request::CookieJar#handle_options. — max, Jan 08 '20 at 02:12
Hmm, It also seems like you can't even set 'None' as a SamSite value until Rack version 2.1 is released: https://github.com/rack/rack/issues/1387 — rii, Jan 08 '20 at 21:59
You can achieve this by over-riding the `Rack::Utils.set_cookie_header!` method as explained here https://stackoverflow.com/a/60036434/979858 — anil.n, Feb 03 '20 at 10:14

Sebastian Fairchild · Answer 1 · 2020-01-10T20:41:41.627

2

I was able to do this with the secure_headers gem and rails 4.2.11.1, I put the config in an initializer

SecureHeaders::Configuration.default do |config|
  config.cookies = {
   samesite: {
    none: true
   }
  }
end

https://github.com/twitter/secure_headers/blob/master/docs/cookies.md

edited Jan 10 '20 at 20:41

answered Jan 10 '20 at 20:33

Sebastian Fairchild

33
7

I tried this with the rails 6.0.3.2 and firefox 77.0.1 and still get the warning in the browser console. – SWoo Jun 29 '20 at 14:57

Setting session_id cookie SameSite property in Rails

1 Answers1