Use secure cookies by default only if served over HTTPS

rolodato · rolodato · commit 1c1708f370ea · 2025-05-26T16:12:34.000-03:00
diff --git a/api/app/views.py b/api/app/views.py
@@ -60,7 +60,7 @@ def project_overrides(request: Request) -> HttpResponse:
     }
     is_secure_request = request.is_secure()
     override_data["useSecureCookies"] = is_secure_request or settings.USE_SECURE_COOKIES
-    if settings.COOKIE_SAME_SITE is not None:
+    if settings.COOKIE_SAME_SITE:
         same_site = settings.COOKIE_SAME_SITE
     elif is_secure_request:
         same_site = "None"
diff --git a/api/custom_auth/jwt_cookie/services.py b/api/custom_auth/jwt_cookie/services.py
@@ -8,11 +8,12 @@
 
 def authorise_response(user: FFAdminUser, response: Response, secure=False) -> Response:  # type: ignore[no-untyped-def]
     sliding_token = SlidingToken.for_user(user)
+    same_site = "None" if secure else "Lax"
     response.set_cookie(
         JWT_SLIDING_COOKIE_KEY,
         str(sliding_token),
         httponly=True,
         secure=secure,
-        samesite=settings.COOKIE_SAME_SITE,  # type: ignore[arg-type]
+        samesite=settings.COOKIE_SAME_SITE or same_site,  # type: ignore[arg-type]
     )
     return response
diff --git a/docs/docs/deployment/hosting/locally-frontend.md b/docs/docs/deployment/hosting/locally-frontend.md
@@ -95,11 +95,10 @@ Current variables used between 'frontend/environment.js' and 'frontend/common/pr
 - `SENTRY_API_KEY`: Sentry key for error reporting.
 - `ALBACROSS_CLIENT_ID`: Albacross client ID key for behaviour tracking.
 - `BASE_URL`: Used for specifying a base url path that's ignored during routing if serving from a subdirectory.
-- `USE_SECURE_COOKIES`: Enable / disable the use of secure cookies. If deploying the FE in a private network without a
-  domain / SSL cert, disable secure cookies to ensure that session token is persisted. Default: true.
-- `COOKIE_SAME_SITE`: Define the value of the samesite attribute for the session token cookie set by the frontend.
-  Further reading on this value is available [here](https://web.dev/articles/samesite-cookies-explained). Default:
-  'none'.
+- `USE_SECURE_COOKIES`: If set to `true`, forces the use of secure (i.e. HTTPS-only) session cookies.
+- `COOKIE_SAME_SITE`: The
+   [SameSite attribute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value)
+   value to use for the Flagsmith session cookie. Defaults to `None` if authenticating via HTTPS, or `Lax` otherwise.
 
 ### GitHub Integration Environment Variables
 

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ def project_overrides(request: Request) -> HttpResponse:`
`60`	`60`	`}`
`61`	`61`	`is_secure_request = request.is_secure()`
`62`	`62`	`override_data["useSecureCookies"] = is_secure_request or settings.USE_SECURE_COOKIES`
`63`		`- if settings.COOKIE_SAME_SITE is not None:`
	`63`	`+ if settings.COOKIE_SAME_SITE:`
`64`	`64`	`same_site = settings.COOKIE_SAME_SITE`
`65`	`65`	`elif is_secure_request:`
`66`	`66`	`same_site = "None"`