Merge pull request #1096 from sul-dlss/debug-token-controller

Set cookies SameSite=None
sul-dlss · Dec 20, 2023 · cda9526 · cda9526
2 parents 5b43596 + a337d3f
commit cda9526
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/config/application.rb b/config/application.rb
@@ -42,5 +42,10 @@ class Application < Rails::Application
                              "172.20.21.208/28", # foa_lb_mgmt_dev_nets
                              "172.20.21.192/28" # foa_lb_mgmt_prod_nets
                            ].map { |proxy| IPAddr.new(proxy) }
+
+
+    # IIIF Auth v2 makes a request in one window to login and then opens a iframe to get a token.
+    # In order for this second request to know who the user is, the session token must created with SameSite=None
+    config.action_dispatch.cookies_same_site_protection = :none
   end
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -38,7 +38,7 @@
   # config.action_dispatch.x_sendfile_header = "X-Accel-Redirect" # for NGINX
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = true
 
   # Include generic and useful information about system operation, but avoid logging too much
   # information to avoid inadvertent exposure of personally identifiable information (PII).