Is it possible to change cookie settings on certain requests?

[marcaddeo]

I'm implementing some OAuth logins with axum_login/tower_sessions and have found that SameSite=Strict causes issues on the redirect for some OAuth providers (Discord).

To get around this, one can add an intermediary redirect in the redirect chain that hits a page that has a <meta http-equiv="refresh" content="0;URL='http://thetudors.example.com/'" /> to "instantly" redirect the user to the next page so that a cookie is properly set and the original state can be retrieved from the session store.

However, that "instant" redirect isn't very instant and feels a bit hacky.

So what I was hoping to do was set the cookie to SameSite=Lax when starting the OAuth flow, and then upgrading it to SameSite=Strict after the OAuth flow has completed.

Or, if there's a better way to accomplish this I'd love to know!

[maxcountryman]

Setting SameSite to Lax is generally the easiest approach.

Currently there is no way to dynamically reconfigure SameSite as the cookie service is running.

[inklesspen]

When I implemented OAuth login with Discord (in Python land, mind you) the solution I went with here was having two session cookies. One is Lax, one is Strict. Each one has its own isolated session store.

We use the Lax session when redirecting to Discord and back, and then upon getting the token, immediately drop the Lax session and store the current user info in the Strict session.

Unfortunately I don't think you can do that out-of-the-box with tower-sessions and axum…