Users cannot login - CSRF cookie not set

There is a new google chrome update that is rejecting cookies with the following message:

This Set-Cookie was blocked because it had the “SameSite=None” attribute but did not have the “Secure” attribute, which is required in order to use “SameSite=None”.

You can see further information here: https://discuss.openedx.org/t/lti-xblock-and-samesite/759/15

Pull request were referenced there.

In the meanwhile I fixed the problem adding:

DCS_SESSION_COOKIE_SAMESITE = 'Lax'

In env/apps/openedx/settings/lms/production.py and env/apps/openedx/settings/cms/production.py

4 Likes

Hi @juansele,

Thank you so much for the tip. Should I be able to make a similar change to https://github.com/edx/edx-platform/pull/24593/files? We’re using our forked version of edx-platform. I’m just wondering what exact env file to use. Is it devstack.py or other file?

Hi @juansele

Thanks for the hint. I just want to make sure that the lines to add are:

# django-session-cookie middleware
DCS_SESSION_COOKIE_SAMESITE = 'Lax'

Isn’t lax should in double quotes like this “Lax”?
Did you have to run to rebuild the docker image? or just run “tutor local quickstart”?

Thanks

Hello @nachham,
editing those files is not the tutor way to go. So I’ve created a plugin so the change persist between rebuilds.

To install/use it please follow:

tutor plugins install https://gist.githubusercontent.com/juansele/23540d016918d31755b05ccf1bdd4afc/raw/4ce2ab173e7f8bbbbce12acd178c32d6f48c5c44/tempchromecsrffix.yml
tutor plugins enable tempchromecsrffix
tutor config save
tutor local reboot

Just for the sake of clarity, in the case you want to make the edits manually:

  • It is a python file so you can use either single or double quotes.
  • We are editing files within a “docker volume”, so all you need to do is tutor local restart cms. However those files are dynamically generated and overwritten when you do a tutor config save (which tutor local quickstart performs).
1 Like

Hello @tuananh-pham,
I am not sure which one you should edit for a non-tutor installation. In the forum I linked they do edit devstack.py indeed.

Thanks @juansele
Cheers

Hi. We are using tutor k8s deployment, with custom edx-platform fork. Should we change the devstack.py file?

I suggest you use the plugin. Let me know if it works

We got it fixed by changing in edx-platform repo’s cms/envs/production.py:

DCS_SESSION_COOKIE_SAMESITE = 'Lax'

Hi! I’m jumping in this conversation a little late, but I wonder if the default Tutor production settings should be modified.

Can someone please clarify:

  1. Which version of Tutor are you running?
  2. How to reproduce the issue?
  3. Are you quite sure that setting DCS_SESSION_COOKIE_SAMESITE = 'Lax' is the right thing to do? The name of this value (“lax”) would imply that this is meant only for development, not production.

Hey @regis

I’m facing the same issue in Chrome, if I open the dev tools I see the next error

Btw, if I’m using Firefox the issue doesn’t happen and I’m able to login

@bryancr89 please explain how to reproduce the issue.

Hi @regis,

  1. I am running 10.1.0
  2. Run tutor on “production”, try to log in using updated google chrome
    chrome will block cookies.
  3. Maybe setting the “Secure” attribute is a better solution.

Thanks for the report everyone. This will be fixed in the next release of Tutor (v10.2.0). The “right” fix consists of adding the following entries to the LMS production settings when HTTPS is enabled:

SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
DCS_SESSION_COOKIE_SAMESITE = "None"

And when HTTPS is disabled:

SESSION_COOKIE_SECURE = False
CSRF_COOKIE_SECURE = False
DCS_SESSION_COOKIE_SAMESITE = "Lax"

These settings will be included in v10.2.0, which should be released today.

4 Likes