From 77c2aecc4e54a0be172e33ba2c1117e587d430d4 Mon Sep 17 00:00:00 2001
From: Feanil Patel <feanil@axim.org>
Date: Mon, 15 Jun 2026 12:01:23 -0400
Subject: [PATCH 1/2] feat!: drop DCS_SESSION_COOKIE_SAMESITE legacy setting

DCS_SESSION_COOKIE_SAMESITE and DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL
were a holdover from the django-cookies-samesite library, a backport
of SameSite cookie support for Django < 3.1. That library was removed
from openedx-platform in 2021 (commit 708dbb71ec) when we upgraded to
Django 3.2, which has native SESSION_COOKIE_SAMESITE support.

Since then DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL has been completely
unused, and DCS_SESSION_COOKIE_SAMESITE was only consumed by an alias
line in lms/envs/production.py that copied it into the standard
SESSION_COOKIE_SAMESITE. Set SESSION_COOKIE_SAMESITE = 'None' directly
in production.py to preserve the existing behavior, and drop the
DCS_-prefixed settings from common.py and devstack.py. Non-production
envs continue to use Django's 'Lax' default.

See DEPR ticket: https://github.com/openedx/openedx-platform/issues/38757

BREAKING CHANGE: Operators who set DCS_SESSION_COOKIE_SAMESITE in their
LMS_CFG yaml or a private settings module must rename the key to
SESSION_COOKIE_SAMESITE. DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL can be
deleted; it has been a no-op since the django-cookies-samesite package
was removed in 2021.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 lms/envs/common.py     | 4 ----
 lms/envs/devstack.py   | 4 ----
 lms/envs/production.py | 7 ++++---
 3 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/lms/envs/common.py b/lms/envs/common.py
index 828c7874152b..fae6fae1ffd7 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -989,10 +989,6 @@
 
 ############################### DJANGO BUILT-INS ###############################
 
-# django-session-cookie middleware
-DCS_SESSION_COOKIE_SAMESITE = 'None'
-DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL = True
-
 # LMS base
 LMS_BASE = 'localhost:18000'
 
diff --git a/lms/envs/devstack.py b/lms/envs/devstack.py
index 1043016a6b2b..32ca9616c659 100644
--- a/lms/envs/devstack.py
+++ b/lms/envs/devstack.py
@@ -474,10 +474,6 @@ def should_show_debug_toolbar(request):  # pylint: disable=missing-function-docs
 
 #####################################################################
 
-# django-session-cookie middleware
-DCS_SESSION_COOKIE_SAMESITE = 'Lax'
-DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL = True
-
 ########################## THEMING  #######################
 # If you want to enable theming in devstack, uncomment this section and add any relevant
 # theme directories to COMPREHENSIVE_THEME_DIRS
diff --git a/lms/envs/production.py b/lms/envs/production.py
index b954841d59bc..b3d2b64f0e88 100644
--- a/lms/envs/production.py
+++ b/lms/envs/production.py
@@ -132,9 +132,10 @@ def get_env_setting(setting):
 
 DATA_DIR = path(DATA_DIR)  # noqa: F405
 
-# TODO: This was for backwards compatibility back when installed django-cookie-samesite (not since 2022).
-#       The DCS_ version of the setting can be DEPR'd at this point.
-SESSION_COOKIE_SAMESITE = DCS_SESSION_COOKIE_SAMESITE  # noqa: F405
+# Required to be 'None' so the session cookie is sent on cross-site requests
+# (e.g. LMS <-> Studio SSO). Browsers reject SameSite=None unless the cookie
+# is also Secure, so production deployments must serve over HTTPS.
+SESSION_COOKIE_SAMESITE = 'None'
 
 for feature, value in _YAML_TOKENS.get('FEATURES', {}).items():
     FEATURES[feature] = value

From e9a5580355a2542152df65e20ce92bffe627a391 Mon Sep 17 00:00:00 2001
From: Feanil Patel <feanil@axim.org>
Date: Mon, 15 Jun 2026 12:01:56 -0400
Subject: [PATCH 2/2] docs: note SESSION_COOKIE_SAMESITE requirement for
 bare-metal LMS

When loading lms/envs/production.py, SESSION_COOKIE_SAMESITE is set to
'None' to support cross-site flows like LMS <-> Studio SSO. Bare-metal
setups that load only common.py inherit Django's 'Lax' default and
must configure this explicitly. Document the requirement next to the
existing Security Deployment Requirements.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 README.rst | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/README.rst b/README.rst
index 1e404c53dd49..4b84c9d9bcde 100644
--- a/README.rst
+++ b/README.rst
@@ -245,6 +245,20 @@ Tutor-based deployments satisfy this requirement automatically. For bare-metal
 or custom deployments, verify that ``CACHES['default']`` points at a shared
 Redis or Memcached instance before enabling these features.
 
+Session Cookie SameSite
+=======================
+
+Open edX's LMS <-> Studio SSO flow relies on the session cookie being sent
+on cross-site requests, which requires ``SESSION_COOKIE_SAMESITE = 'None'``.
+This is set automatically when ``lms/envs/production.py`` is loaded.
+
+If you run an LMS *without* loading ``production.py`` (e.g. a stripped-down
+setup that loads only ``lms/envs/common.py``), set ``SESSION_COOKIE_SAMESITE
+= 'None'`` in your settings yourself. ``SameSite=None`` cookies also require
+``SESSION_COOKIE_SECURE = True`` and HTTPS, so over plain HTTP use ``'Lax'``
+instead — in that case some cross-site flows (notably Studio SSO) will not
+work.
+
 .. _lms/djangoapps/lti_provider/README.rst: lms/djangoapps/lti_provider/README.rst
 
 License