From 9e1ee5ae45a2ef45e191ed3b1cffe26b362c3ee4 Mon Sep 17 00:00:00 2001
From: mike seibel <mikes@washington.edu>
Date: Tue, 1 Sep 2020 20:36:54 -0700
Subject: [PATCH 1/2] pass lti sessionid

---
 project/base_settings/auth_settings.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/project/base_settings/auth_settings.py b/project/base_settings/auth_settings.py
index 9025f79..c55e3f2 100644
--- a/project/base_settings/auth_settings.py
+++ b/project/base_settings/auth_settings.py
@@ -90,8 +90,14 @@ def auth_from_env(auth):
 if _auth:
     INSTALLED_APPS.append('blti')
 
+    MIDDLEWARE.remove('django.middleware.clickjacking.XFrameOptionsMiddleware')
     MIDDLEWARE.insert(0, 'blti.middleware.SessionHeaderMiddleware')
     MIDDLEWARE.insert(0, 'blti.middleware.CSRFHeaderMiddleware')
+    MIDDLEWARE.insert(0, 'blti.middleware.SameSiteMiddleware')
+
+    # relax samesite, but protect cookies from casual snooping
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_SECURE = True
 
     LTI_ENFORCE_SSL = parse_bool_from_str(os.getenv('LTI_ENFORCE_SSL', 'False'))
 

From ddb9b52d36917456a209ea1477d5ac9aa266a592 Mon Sep 17 00:00:00 2001
From: mike seibel <mikes@washington.edu>
Date: Tue, 1 Sep 2020 20:42:05 -0700
Subject: [PATCH 2/2] comment

---
 project/base_settings/auth_settings.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/project/base_settings/auth_settings.py b/project/base_settings/auth_settings.py
index c55e3f2..f20f729 100644
--- a/project/base_settings/auth_settings.py
+++ b/project/base_settings/auth_settings.py
@@ -95,7 +95,8 @@ def auth_from_env(auth):
     MIDDLEWARE.insert(0, 'blti.middleware.CSRFHeaderMiddleware')
     MIDDLEWARE.insert(0, 'blti.middleware.SameSiteMiddleware')
 
-    # relax samesite, but protect cookies from casual snooping
+    # relax samesite (django-blti>=2.2.1),
+    # but protect cookies from casual snooping
     SESSION_COOKIE_SECURE = True
     CSRF_COOKIE_SECURE = True