-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Samesite setting not being set on HttpOnly token delete #288
Comments
Can confirm. This same thing is happening to me, the only difference is that I am not using the Long Running Refresh Tokens |
I feel like this a pretty major bug. Is nobody else having this problem? |
@aaonhub I'm having the same problem, did you already solve the problem? |
It looks like the method used to delete cookies simply ignores the samesite setting. django-graphql-jwt/graphql_jwt/utils.py Lines 139 to 144 in 704f24e
After a quick test the following change works: def delete_cookie(response, key):
kwargs = {
"path": jwt_settings.JWT_COOKIE_PATH,
"domain": jwt_settings.JWT_COOKIE_DOMAIN,
}
if django.VERSION >= (2, 1):
kwargs["samesite"] = jwt_settings.JWT_COOKIE_SAMESITE
response.delete_cookie(key, **kwargs) |
sorry if there's some standard I'm not following it's my first github issue submission
I don't know why but getting the token works fine but trying to delete it ignores the samesite setting.
My django settings (I tried commenting out the samesite setting but nothing changed):
My apollo client HttpLink:
Token mutation
Deleting token mutation
The text was updated successfully, but these errors were encountered: