Default to request's cookies_same_site_protection option

stevenharman · stevenharman · commit d7d4a49f57e0 · 2025-04-02T14:47:50.000-04:00
This brings the ActiveRecordStore in line with the CookieStore that ships with Rails. (see: rails/rails#45501) `ActionDispatch::Session::ActiveRecordStore` passes along whatever options it was configure with, and by default that DOES NOT include a `:same_site` value. So when `Rack::Session::SessionId` is created, it's defaulting `:same_site` to `nil` because the option is missing. That means, by the time `ActionDispatch`'s cookie middleware runs, there is a `:same_site` key, so it won't set the default.
diff --git a/lib/action_dispatch/session/active_record_store.rb b/lib/action_dispatch/session/active_record_store.rb
@@ -59,6 +59,12 @@ class ActiveRecordStore < ActionDispatch::Session::AbstractSecureStore
 
       SESSION_RECORD_KEY = 'rack.session.record'
       ENV_SESSION_OPTIONS_KEY = Rack::RACK_SESSION_OPTIONS
+      DEFAULT_SAME_SITE = proc { |request| request.cookies_same_site_protection } # :nodoc:
+
+      def initialize(app, options = {})
+        options[:same_site] = DEFAULT_SAME_SITE unless options.key?(:same_site)
+        super
+      end
 
     private
       def get_session(request, sid)
diff --git a/test/action_controller_test.rb b/test/action_controller_test.rb
@@ -90,6 +90,31 @@ def test_getting_nil_session_value
     end
   end
 
+  def test_default_same_site_derives_SameSite_from_env
+    with_test_route_set do
+      get "/set_session_value"
+      assert_match %r{SameSite=Lax}i, headers["Set-Cookie"]
+    end
+  end
+
+  def test_explicit_same_site_sets_SameSite
+    session_options(same_site: :strict)
+
+    with_test_route_set do
+      get "/set_session_value"
+      assert_match %r{SameSite=Strict}i, headers["Set-Cookie"]
+    end
+  end
+
+  def test_explicit_nil_same_site_omits_SameSite
+    session_options(same_site: nil)
+
+    with_test_route_set do
+      get "/set_session_value"
+      assert_no_match %r{SameSite=}i, headers["Set-Cookie"]
+    end
+  end
+
   def test_calling_reset_session_twice_does_not_raise_errors
     with_test_route_set do
       get '/call_reset_session', :params => { :twice => "true" }
diff --git a/test/helper.rb b/test/helper.rb
@@ -61,6 +61,16 @@ def self.build_app(routes = nil)
 
   private
 
+    # Overwrite `get` to set env hash
+    def get(path, **options)
+      options[:headers] ||= {}
+      options[:headers].tap do |config|
+        config["action_dispatch.cookies_same_site_protection"] ||= ->(_) { :lax }
+      end
+
+      super
+    end
+
     def session_options(options = {})
       (@session_options ||= {key: "_session_id"}).merge!(options)
     end
