CSRF_COOKIE_SAMESITE equivalent for django 1.6.5

Question

I am trying to launch my application which was written using django 1.6.5 version, in a salesforce webtab iframe. I was getting a "CSRF cookie not set" error while trying to login. I understood through the console logs that in the latest version of Chrome, only allows the cookies which are set with 'secure'=True and samesite=None. I understood that these settings can be added in the settings.py in later versions of django

SESSION_COOKIE_SAMESITE = 'None'
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

But this does not work in django 1.6.5 version. I have been trying to find out how to apply these settings in my version.

Anyway I can write my own middleware? I tried it, but the samesite attribute does not seem to be there at a cookie level. — Vineeth Vishwanath, Aug 17 '20 at 16:28

score 4 · Accepted Answer · answered Aug 20 '20 at 14:45

4

There is no support to add the samesite setting in Django 1.6.5, that is the reason the adding those in the settings.py did not work. Django 3.1 is where they started this support this setting. I tried adding my own middleware and add the setting to the cookies, but I got an invalid field error. Then I found a library I can use for this - django-cookies-samesite. I was able to apply the samesite setting to None and the secure to True, then I was able to login through salesforce web tab.

Add these in settings.py

SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE_FORCE_ALL = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

And add this in the MIDDLEWARE_CLASSES:

'django_cookies_samesite.middleware.CookiesSameSite',

Relevant sites I got the info from:

https://github.com/django/django/pull/8380/files

https://pypi.org/project/django-cookies-samesite/

answered Aug 20 '20 at 14:45

Vineeth Vishwanath

141
1
11

How did you do that? In django-cookies-samesite docs the minimum django version is 1.11.X – mrroot5 Aug 24 '21 at 10:03
1

@mrroot5 It doesn't specify the minimum version. Just that it was built for legacy Django versions. I've tried it and it works for me. – Vineeth Vishwanath Oct 04 '21 at 15:34
After this comment I tried it and works for me at a minimum version of Django 1.8. Not all the things like CRSF cookie, or force secure for all cookies but it works to change a cookie SameSite. Finally I created my own middleware based on it to change my company jwt cookie. – mrroot5 Oct 05 '21 at 12:16

CSRF_COOKIE_SAMESITE equivalent for django 1.6.5

1 Answers1