Django 2.1.x introduces support of SameSite flag for session and csrf cookie.
Unfortunately, this functionality will not be ported to older versions of Django e.g. 1.11.x.
This repository contains a middleware which automatically sets SameSite attribute for session and csrf cookies in legacy versions of Django.
Install django-cookies-samesite:
pip install django-cookies-samesite
Add the middleware to the top of MIDDLEWARE_CLASSES:
MIDDLEWARE_CLASSES = (
'django_cookies_samesite.middleware.CookiesSameSite',
...
)Set your preferred SameSite policy in settings.py:
SESSION_COOKIE_SAMESITE = 'Lax'This can be 'Lax', 'None', 'Strict', or None to disable the flag.
Also, you can set this flag in your custom cookies:
SESSION_COOKIE_SAMESITE_KEYS = {'my-custom-cookies'}After that you should be able to see SameSite flag set for session and csrf cookies: ![screenshot]()
Does the code actually work?
source <YOURVIRTUALENV>/bin/activate (myenv) $ pip install tox (myenv) $ tox
Tools used in rendering this package: