Skip to content

Default to request's cookies_same_site_protection option #222

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Default to request's cookies_same_site_protection option #222

wants to merge 1 commit into from

Conversation

stevenharman
Copy link
Contributor

@stevenharman stevenharman commented Apr 2, 2025
edited
Loading

This brings the ActiveRecordStore in line with the CookieStore that ships with Rails. (see: rails/rails#45501)

ActionDispatch::Session::ActiveRecordStore passes along whatever options it was configure with, and by default that DOES NOT include a :same_site value. So when Rack::Session::SessionId is created, it's defaulting :same_site to nil because the option is missing. That means, by the time ActionDispatch's cookie middleware runs, there is a :same_site key, so it won't set the default specified in config/application.rb via config.action_dispatch.cookies_same_site_protection = :none, for example.

Fixes #214

@stevenharman stevenharman force-pushed the fix_same_site_option branch from d7d4a49 to e2c86c2 Compare April 4, 2025 15:46
@stevenharman
Default to request's cookies_same_site_protection option
d06f4ac 
This brings the ActiveRecordStore in line with the CookieStore that
ships with Rails. (see: rails/rails#45501)

`ActionDispatch::Session::ActiveRecordStore` passes along whatever
options it was configure with, and by default that DOES NOT include a
`:same_site` value. So when `Rack::Session::SessionId` is created, it's
defaulting `:same_site` to `nil` because the option is missing. That means,
by the time `ActionDispatch`'s cookie middleware runs, there is a
`:same_site` key, so it won't set the default.
@stevenharman stevenharman force-pushed the fix_same_site_option branch from e2c86c2 to d06f4ac Compare April 7, 2025 18:56
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SameSite attribute missing in cookies
1 participant
@stevenharman