feat!: drop DCS_SESSION_COOKIE_SAMESITE legacy setting#38758
Draft
feanil wants to merge 2 commits into
Draft
Conversation
DCS_SESSION_COOKIE_SAMESITE and DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL were a holdover from the django-cookies-samesite library, a backport of SameSite cookie support for Django < 3.1. That library was removed from openedx-platform in 2021 (commit 708dbb7) when we upgraded to Django 3.2, which has native SESSION_COOKIE_SAMESITE support. Since then DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL has been completely unused, and DCS_SESSION_COOKIE_SAMESITE was only consumed by an alias line in lms/envs/production.py that copied it into the standard SESSION_COOKIE_SAMESITE. Set SESSION_COOKIE_SAMESITE = 'None' directly in production.py to preserve the existing behavior, and drop the DCS_-prefixed settings from common.py and devstack.py. Non-production envs continue to use Django's 'Lax' default. See DEPR ticket: #38757 BREAKING CHANGE: Operators who set DCS_SESSION_COOKIE_SAMESITE in their LMS_CFG yaml or a private settings module must rename the key to SESSION_COOKIE_SAMESITE. DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL can be deleted; it has been a no-op since the django-cookies-samesite package was removed in 2021. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When loading lms/envs/production.py, SESSION_COOKIE_SAMESITE is set to 'None' to support cross-site flows like LMS <-> Studio SSO. Bare-metal setups that load only common.py inherit Django's 'Lax' default and must configure this explicitly. Document the requirement next to the existing Security Deployment Requirements. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes the
DCS_SESSION_COOKIE_SAMESITEandDCS_SESSION_COOKIE_SAMESITE_FORCE_ALLsettings, holdovers from thedjango-cookies-samesitelibrary that was removed fromopenedx-platformin Sept 2021 (commit 708dbb71ec) when we upgraded to Django 3.2 and its nativeSESSION_COOKIE_SAMESITEsupport. Closes the existingTODOinlms/envs/production.pyline 135.lms/envs/production.pynow setsSESSION_COOKIE_SAMESITE = 'None'directly (preserving current production behavior — required for cross-site OAuth/SSO between LMS and Studio).DCS_-prefixed settings are deleted fromlms/envs/common.pyandlms/envs/devstack.py.'Lax'default — same as their prior effective behavior, since theDCS_value incommon.pywas only ever read byproduction.py's aliasing line.common.pydirectly: they must setSESSION_COOKIE_SAMESITE = 'None'themselves for Studio SSO to work.DEPR ticket: #38757
Breaking change
Operators who set
DCS_SESSION_COOKIE_SAMESITEin theirLMS_CFGYAML or private settings module must rename the key toSESSION_COOKIE_SAMESITE.DCS_SESSION_COOKIE_SAMESITE_FORCE_ALLcan be deleted; it has been a no-op since 2021.