From e8038701a3ad0e2a88fd96d069bb4b8fdf8af3b1 Mon Sep 17 00:00:00 2001 From: valentin Date: Thu, 17 Sep 2020 22:53:39 +0200 Subject: [PATCH] Add samesite attribute in the delete_cookie call --- rest_framework_simplejwt/views.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rest_framework_simplejwt/views.py b/rest_framework_simplejwt/views.py index 65abb02e6..abb544f53 100644 --- a/rest_framework_simplejwt/views.py +++ b/rest_framework_simplejwt/views.py @@ -18,6 +18,7 @@ from .exceptions import InvalidToken, TokenError #Need to set samesite to None. (Available in django 3.1) +# set secure to True with None class Response(R): def set_cookie(self, key, value='', max_age=None, expires=None, path='/', @@ -56,7 +57,7 @@ def set_cookie(self, key, value='', max_age=None, expires=None, path='/', self.cookies[key]['path'] = path if domain is not None: self.cookies[key]['domain'] = domain - if secure: + if secure or samesite.lower() == 'none': self.cookies[key]['secure'] = True if httponly: self.cookies[key]['httponly'] = True @@ -256,12 +257,14 @@ def delete_auth_cookies(self, response): response.delete_cookie( api_settings.AUTH_COOKIE, domain=api_settings.AUTH_COOKIE_DOMAIN, - path=api_settings.AUTH_COOKIE_PATH + path=api_settings.AUTH_COOKIE_PATH, + samesite=api_settings.AUTH_COOKIE_SAMESITE ) response.delete_cookie( '{}_refresh'.format(api_settings.AUTH_COOKIE), domain=None, path=reverse(self.token_refresh_view_name), + samesite=api_settings.AUTH_COOKIE_SAMESITE )