From 2028e636a387aa6c7f7fef042b50cb222a64ee31 Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Tue, 6 Sep 2022 13:28:12 +0200
Subject: [PATCH] Use SameSite=Lax for LTI login

---
 config/initializers/session_store.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index b1fae6e4..7bd809a2 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -18,4 +18,7 @@ Rails.application.config.session_store :cookie_store,
   expire_after: 1.month,
   secure: Rails.env.production? || Rails.env.staging?,
   path: Rails.application.config.relative_url_root,
-  same_site: :strict
+  # Signing in through LTI won't work with `SameSite=Strict`
+  # as the cookie is not sent when accessing the `implement` route
+  # following the LTI launch initiated by the LMS as a third party.
+  same_site: :lax