Thanks for the report everyone. This will be fixed in the next release of Tutor (v10.2.0). The “right” fix consists of adding the following entries to the LMS production settings when HTTPS is enabled:
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
DCS_SESSION_COOKIE_SAMESITE = "None"
And when HTTPS is disabled:
SESSION_COOKIE_SECURE = False
CSRF_COOKIE_SECURE = False
DCS_SESSION_COOKIE_SAMESITE = "Lax"
These settings will be included in v10.2.0, which should be released today.