11

Firefox error:

Cookie “_myapp_session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

"To fix this, you will have to add the Secure attribute to your SameSite=None cookies."

How do I add the secure attribute into my SameSite=None cookie, when using Rails 6?

I do not want to add a separate gem to accomplish this.This error randomly appeared, I assume there was a browser change. Does rails 6 have a native way to fix this? I read this post,

Thank you

user2012677
  • 5,465
  • 6
  • 51
  • 113

3 Answers3

4

You can configure your session store to use secure cookies in production, just add this to an initializer:

MyApp::Application.config.session_store :cookie_store, key: '_my_app_session', secure: Rails.env.production?

You may already have it on config/initializers/session_store.rb.

Documentation and pertinent issue. This will be fixed in Rails 6.1.

Felipe Zavan
  • 1,654
  • 1
  • 14
  • 33
  • 1
    This gets rid of the error in the web browser console, but breaks the login cookies at least for me in my two rails 6.0 projects. – SWoo Jun 27 '20 at 22:38
  • 1
    @SWoo This is my experience too; I'm in a development environment and attempting to persist an object to my db, and I have to refresh the browser before being able to do so. All these fixes here are hacky, in a bad way. – J.R. Bob Dobbs Mar 17 '22 at 04:29
  • I gave up and used the secure_headers gem. I looked at the source a bit and the work to replicate it to just avoid using another gem felt like too much for the effort required. – SWoo Mar 18 '22 at 19:52
3

You need this line in your Rails config file:

 # Specify cookies SameSite protection level: either :none, :lax, or :strict. 
 # 
 # This change is not backwards compatible with earlier Rails versions. 
 # It's best enabled when your entire app is migrated and stable on 6.1. 
 Rails.application.config.action_dispatch.cookies_same_site_protection = :lax
rapidror
  • 131
  • 11
0
  1. Update to rails 6.1 (see documentation here on how to do that)
  2. Add the following line to config/application.rb (see the doc here for details on the cookies_same_site_protection option):
# config/application.rb

...

module YouAppName
  class Application < Rails::Application
    ...

    # Specify cookies SameSite protection level: either :none, :lax, or :strict.
    # This change is not backwards compatible with earlier Rails versions. 
    # It's best enabled when your entire app is migrated and stable on 6.1.
    # Was not in Rails 6.0. Default in rails 6.1 is :lax, not :strict
    config.action_dispatch.cookies_same_site_protection = :strict

    ...
  end
end

This line could also be added to config/environments/development.rb, config/environments/production.rb or to an initializer depending on your needs.

jfs
  • 53
  • 1
  • 6