Use SameSite=None for cookies.

Chrome requires this (along with the Secure attribute and delivery over HTTPS) for all third-party cookies (as of February). https://web.dev/samesite-cookies-explained/
themarshallproject · Sep 11, 2020 · a49ec90 · a49ec90
1 parent 76cdf18
commit a49ec90
Showing 4 changed files with 7 additions and 3 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -39,7 +39,7 @@ def current_user
 
     user = User.find_by(id: cookies.signed[:user_id])
     if user.present?
-      cookies.signed[:user_id] = { value: user.id, expires: 7.days.from_now, httponly: true }
+      cookies.signed[:user_id] = { value: user.id, expires: 7.days.from_now, httponly: true, same_site: :none, secure: true }
       @current_user = user
     else
       cookies.signed[:user_id] = nil

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -21,7 +21,7 @@ def token
       if user[:expired]
         redirect_to expired_token_path(user[:user].id)
       else
-        cookies.signed[:user_id] = { value: user.id, expires: 7.days.from_now, httponly: true }
+        cookies.signed[:user_id] = { value: user.id, expires: 7.days.from_now, httponly: true, same_site: :none, secure: true }
         redirect_to root_path
       end
     else

diff --git a/config/environments/development.rb b/config/environments/development.rb
@@ -38,6 +38,10 @@
 
   config.action_mailer.delivery_method = :letter_opener
 
+  config.hosts << "klaxon.test"
+
+  config.force_ssl = (ENV.fetch('KLAXON_FORCE_SSL', 'false').to_s.downcase == 'true')
+
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
 

diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
@@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.
 
-Rails.application.config.session_store :cookie_store, key: '_klaxon_session'
+Rails.application.config.session_store :cookie_store, key: '_klaxon_session', same_site: :none, secure: true