Flask-Login & CORS Issue

Question

I've been having some issues w/ my Flask + React.js application.

My React.js application is hosted on one host, and the flask one on the other. The React.js app is sending API requests to the Flask endpoints and for that I'm using CORS.

But for some reason, the browser decides to not accept any of my cookies, leading to the fact that I can't keep any session data (which is crucial to flask-login)

Response headers:

As you can see in the attached image, Chrome is automatically setting the value of the set cookie attribute to LAX, now I've tried multiple solutions and they all don't work.

1. Changing Flask Config: I've added the following parameters to the config via code, to no avail.

   app.config['SESSION_COOKIE_NAME'] = "session" app.config['SESSION_COOKIE_HTTPONLY'] = True app.config['SESSION_COOKIE_SAMESITE'] = None app.config['SESSION_COOKIE_SECURE'] = True

2. Tricking chrome via a duplicate Set-Cookie header: I've tried the solution here, the problem is that it doesn't do it to the flask-login cookie values, only to the main session ones.

Python session SAMESITE=None not being set

I've searched the internet for a long while now and I can't seem to find a suitable answer, the only possibility I currently see is working with a JWT, but that would require a whole re-write of my system.

Answer 1

I struggled with cross-site logins quite a bit too last year. I don't know, if it will fix your problem, but in my configuration I actually set the samesite option to the string "None".

app.config['SESSION_COOKIE_SAMESITE'] = "None"

This might be working since None would just make flask set nothing/the default value/let the browser decide and since last year the new default isn't "None", but "Lax" (as seen in your example), at least in Chrome.

There is also the Flask CORS package, which might help you as well (https://flask-cors.readthedocs.io/en/latest/)