Merge pull request #378 from RouganStriker/override_samesite_value

Allow overriding SameSite value for session cookie

Author: Giuseppe De Marco

djangosaml2/middleware.py

@@ -26,6 +26,8 @@ def process_response(self, request, response):
         session every time, save the changes and set a session cookie or delete
         the session cookie if the session has been emptied.
         """
+        SAMESITE = getattr(settings, "SAML_SESSION_COOKIE_SAMESITE", SAMESITE_NONE)
+
         try:
             accessed = request.saml_session.accessed
             modified = request.saml_session.modified
@@ -39,7 +41,7 @@ def process_response(self, request, response):
                 self.cookie_name,
                 path=settings.SESSION_COOKIE_PATH,
                 domain=settings.SESSION_COOKIE_DOMAIN,
-                samesite=SAMESITE_NONE,
+                samesite=SAMESITE,
             )
             patch_vary_headers(response, ("Cookie",))
         else:
@@ -74,6 +76,6 @@ def process_response(self, request, response):
                         path=settings.SESSION_COOKIE_PATH,
                         secure=settings.SESSION_COOKIE_SECURE or None,
                         httponly=settings.SESSION_COOKIE_HTTPONLY or None,
-                        samesite=SAMESITE_NONE,
+                        samesite=SAMESITE,
                     )
         return response

djangosaml2/tests/__init__.py

@@ -1030,3 +1030,31 @@ def test_middleware_cookie_with_expiry(self):
             self.assertIsNotNone(cookie["expires"])
             self.assertNotEqual(cookie["expires"], "")
             self.assertNotEqual(cookie["max-age"], "")
+
+    def test_middleware_cookie_samesite(self):
+        with override_settings(SAML_SESSION_COOKIE_SAMESITE="Lax"):
+            session = self.get_session()
+            session.save()
+            self.set_session_cookies(session)
+
+            config_loader_path = "djangosaml2.tests.test_config_loader_with_real_conf"
+            request = RequestFactory().get("/login/")
+            request.user = AnonymousUser()
+            request.session = session
+            middleware = SamlSessionMiddleware(dummy_get_response)
+            middleware.process_request(request)
+
+            saml_session_name = getattr(
+                settings, "SAML_SESSION_COOKIE_NAME", "saml_session"
+            )
+            getattr(request, saml_session_name).save()
+
+            response = views.LoginView.as_view(config_loader_path=config_loader_path)(
+                request
+            )
+
+            response = middleware.process_response(request, response)
+
+            cookie = response.cookies[saml_session_name]
+
+            self.assertEqual(cookie["samesite"], "Lax")

docs/source/contents/setup.rst

@@ -62,14 +62,18 @@ You can even configure the SAML cookie name as follows::
 
   SAML_SESSION_COOKIE_NAME = 'saml_session'
 
+By default, djangosaml2 will set "SameSite=None" for the SAML session cookie. This value can be configured as follows::
+
+  SAML_SESSION_COOKIE_SAMESITE = 'Lax'
+
 Remember that in your browser "SameSite=None" attribute MUST also
 have the "Secure" attribute, which is required in order to use "SameSite=None", otherwise the cookie will be blocked, so you must also set::
 
   SESSION_COOKIE_SECURE = True
 
 .. Note::
 
-  djangosaml2 will attempt to set the ``SameSite`` attribute of the SAML session cookie to ``None`` so that it can be
+  djangosaml2 will by default attempt to set the ``SameSite`` attribute of the SAML session cookie to ``None`` so that it can be
   used in cross-site requests, but this is only possible with Django 3.1 or higher. If you are experiencing issues with
   unsolicited requests or cookies not being sent (particularly when using the HTTP-POST binding), consider upgrading
   to Django 3.1 or higher. If you can't do that, configure "allow_unsolicited" to True in pySAML2 configuration.

setup.py

@@ -27,7 +27,7 @@ def read(*rnames):
 
 setup(
     name="djangosaml2",
-    version="1.5.8",
+    version="1.6.0",
     description="pysaml2 integration for Django",
     long_description=read("README.md"),
     long_description_content_type="text/markdown",