Django 2.1 SameSite cookie issue with Safari 12
We just ran into this issue two days ago as we've recently upgraded the Django version for one of our Shopify apps to version 2.1.
We had a user tried to use the app and he kept getting redirected to the login page during the OAuth flow. He then tried it on Chrome and it worked fine so we narrowed down the issue to his web browser, which was Safari, specifically version 12 of Safari as we know the app works fine on Safari 11.
After some digging, we found out that Django introduced a SameSite cookie option in Django 2.1. This option provides an additional security measure to help prevent CSRF attacks (which is one of the things we love about Django, the security team is on top of things).
By default, this is set to "Lax," which provides a balance of security and usability. However, this causes an issue specifically with Safari 12 which may be a bug in Safari 12's implementation of SameSite cookies.
Anyway, since Safari has a decent share of the browser market, you can't really ignore Safari users. So we ended up disabling the SESSION_COOKIE_SAMESITE option in Django for now to make sure our app works on all the major browsers out there.
# Prevents the cookie from being sent in cross-site requests (new in Django 2.1).
# Options are 'Lax' (default), 'Strict', and None.
# Setting to None for now to fix a compatibility issue with Safari 12.
SESSION_COOKIE_SAMESITE = None
Tags: django, tech, software development