@DanielMcQ I seemed to get LTI Consumer through Canvas pulling content from our Open edX Provider by doing the following.
I haven’t received any error about not being logged into my edX account from Canvas and the SESSION_COOKIE_NAME doesn’t display the message since Secure=True and SameSite=None for that cookie.
The cookie didn’t specify a SameSite attribute when it was stored and defaulted to “SameSite=Lax” and broke the same rules specified in the SameSiteLax value. The cookie had to have been set with “SameSite=None” to enable third-party usage.
- Installed middleware to update SameSite=None for cookies set by Open edX platform. Following directions from the latest release here on how to install the middleware component.
GitHub - jotes/django-cookies-samesite at v0.5.1
Install django-cookies-samesite:
pip install django-cookies-samesite
Add the middleware to the top of MIDDLEWARE_CLASSES:
MIDDLEWARE_CLASSES = (
'django_cookies_samesite.middleware.CookiesSameSite',
...
)
- Updated /edx/app/edxapp/{cms,lms}.env.json files to include the following changes.
{
"CSRF_COOKIE_SECURE": true,
"SESSION_COOKIE_SECURE": true,
}
- Updated /edx/app/edxapp/edx-platform/lms/envs/private.py file to include the additional changes.
# Setup for django-cookies-samesite
SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE_FORCE_ALL = True
The django-cookies-samesite middleware has a setting if you need to set specific cookies like so, however, I just forced all cookies to set SameSite=None with the force all setting.
SESSION_COOKIE_SAMESITE_KEYS = {'sessionid', 'hideCaptions', 'hide_captions'}
There are additionally places within the edx-platform repo where additional cookies are being set. A code update would need to include the following changes of the secure parameter for this SameSite change to work over LTI.
response.set_cookie( ... , secure=request.is_secure() )
This article kind of gives a better idea of what’s happening with the SameSite cookie change from Chrome and other browsers that are adopting this update.
cc: @jill