Skip to content

feat!: drop DCS_SESSION_COOKIE_SAMESITE legacy setting#38758

Merged
feanil merged 2 commits into
masterfrom
feanil/depr-dcs-session-cookie-samesite
Jul 13, 2026
Merged

feat!: drop DCS_SESSION_COOKIE_SAMESITE legacy setting#38758
feanil merged 2 commits into
masterfrom
feanil/depr-dcs-session-cookie-samesite

Conversation

@feanil

@feanil feanil commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Removes the DCS_SESSION_COOKIE_SAMESITE and DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL settings, holdovers from the django-cookies-samesite library that was removed from openedx-platform in Sept 2021 (commit 708dbb71ec) when we upgraded to Django 3.2 and its native SESSION_COOKIE_SAMESITE support. Closes the existing TODO in lms/envs/production.py line 135.

  • lms/envs/production.py now sets SESSION_COOKIE_SAMESITE = 'None' directly (preserving current production behavior — required for cross-site OAuth/SSO between LMS and Studio).
  • DCS_-prefixed settings are deleted from lms/envs/common.py and lms/envs/devstack.py.
  • Non-production envs (tests, devstack-without-production-overlay) continue to use Django's 'Lax' default — same as their prior effective behavior, since the DCS_ value in common.py was only ever read by production.py's aliasing line.
  • README's "Security Deployment Requirements" section gains a note for bare-metal operators who load common.py directly: they must set SESSION_COOKIE_SAMESITE = 'None' themselves for Studio SSO to work.

DEPR ticket: #38757

Breaking change

Operators who set DCS_SESSION_COOKIE_SAMESITE in their LMS_CFG YAML or private settings module must rename the key to SESSION_COOKIE_SAMESITE. DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL can be deleted; it has been a no-op since 2021.

@feanil
feanil marked this pull request as ready for review July 7, 2026 13:02
@feanil
feanil requested a review from kdmccormick as a code owner July 7, 2026 13:02
@feanil
feanil force-pushed the feanil/depr-dcs-session-cookie-samesite branch from e9a5580 to c128a02 Compare July 7, 2026 13:03
feanil and others added 2 commits July 7, 2026 09:41
DCS_SESSION_COOKIE_SAMESITE and DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL
were a holdover from the django-cookies-samesite library, a backport
of SameSite cookie support for Django < 3.1. That library was removed
from openedx-platform in 2021 (commit 708dbb7) when we upgraded to
Django 3.2, which has native SESSION_COOKIE_SAMESITE support.

Since then DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL has been completely
unused, and DCS_SESSION_COOKIE_SAMESITE was only consumed by an alias
line in lms/envs/production.py that copied it into the standard
SESSION_COOKIE_SAMESITE.

Set SESSION_COOKIE_SAMESITE = 'None' directly in production.py to
preserve the existing production behavior, and 'Lax' in devstack.py
(which imports from production via `from .production import *` and
would otherwise inherit 'None', breaking login over plain HTTP). Drop
the DCS_-prefixed settings from common.py and devstack.py.

See DEPR ticket: #38757

BREAKING CHANGE: Operators who set DCS_SESSION_COOKIE_SAMESITE in their
LMS_CFG yaml or a private settings module must rename the key to
SESSION_COOKIE_SAMESITE. DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL can be
deleted; it has been a no-op since the django-cookies-samesite package
was removed in 2021.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When loading lms/envs/production.py, SESSION_COOKIE_SAMESITE is set to
'None' to support cross-site flows like LMS <-> Studio SSO. Bare-metal
setups that load only common.py inherit Django's 'Lax' default and
must configure this explicitly. Document the requirement next to the
existing Security Deployment Requirements.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@feanil
feanil force-pushed the feanil/depr-dcs-session-cookie-samesite branch from c128a02 to 09cb3fb Compare July 7, 2026 13:41
@feanil
feanil merged commit b0b5cb0 into master Jul 13, 2026
46 checks passed
@feanil
feanil deleted the feanil/depr-dcs-session-cookie-samesite branch July 13, 2026 18:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants