Users cannot login - CSRF cookie not set

There is a new google chrome update that is rejecting cookies with the following message:

This Set-Cookie was blocked because it had the “SameSite=None” attribute but did not have the “Secure” attribute, which is required in order to use “SameSite=None”.

You can see further information here:

Pull request were referenced there.

In the meanwhile I fixed the problem adding:


In env/apps/openedx/settings/lms/ and env/apps/openedx/settings/cms/


Hi @juansele,

Thank you so much for the tip. Should I be able to make a similar change to We’re using our forked version of edx-platform. I’m just wondering what exact env file to use. Is it or other file?

Hi @juansele

Thanks for the hint. I just want to make sure that the lines to add are:

# django-session-cookie middleware

Isn’t lax should in double quotes like this “Lax”?
Did you have to run to rebuild the docker image? or just run “tutor local quickstart”?


Hello @nachham,
editing those files is not the tutor way to go. So I’ve created a plugin so the change persist between rebuilds.

To install/use it please follow:

tutor plugins install
tutor plugins enable tempchromecsrffix
tutor config save
tutor local reboot

Just for the sake of clarity, in the case you want to make the edits manually:

  • It is a python file so you can use either single or double quotes.
  • We are editing files within a “docker volume”, so all you need to do is tutor local restart cms. However those files are dynamically generated and overwritten when you do a tutor config save (which tutor local quickstart performs).

Hello @tuananh-pham,
I am not sure which one you should edit for a non-tutor installation. In the forum I linked they do edit indeed.

Thanks @juansele

Hi. We are using tutor k8s deployment, with custom edx-platform fork. Should we change the file?

I suggest you use the plugin. Let me know if it works