Cooke: SameSite=None not working because of outdated Rack version

Hi,

The support for sameSite ‘None’ was added (by me) a couple of weeks ago. Now you can select ‘None’ as cookie settings. However, when you change and save it, you cannot login anymore. The session/csrf request returns a 500.

I tracked that error down and the logs say:
Failed to handle exception in exception app middleware : Invalid SameSite value: "None"
in
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/rack-2.0.8/lib/rack/utils.rb:260:in add_cookie_to_header’`

Now, I found out that our current Rack Version (2.0.8) doesn’t support sameSite ‘None’ as a setting. It is supported by the most recent version of Rack though.

The Gemfile in the project is commented with some hint though that the upgrade of Rack might break something:

Therefore, I would prefer that someone upgrades it who has a deeper knowledge of the project than I have.

I would see that as critical, since, if you change the cookie settings to “None”, nobody is able to login anymore and the only way to fix it is over the database.

Can anyone please either fix it or assist? I’m not super professional in Ruby.

1 Like

Hi @dave0688 - thanks for raising this. I just removed the samesite=none option, so that we avoid causing a server error.

We have the rack upgrade on our radar, but it will be quite complicated. I don’t have an exact ETA.

Once it’s upgraded, we’ll be happy to add the SameSite=none site setting back again.

6 Likes

@dave0688 FYI we now have rack upgraded, so I reapplied your commit

4 Likes