We have part of our Rails 6.0 application that needs to be loaded via iframe, so our goal is to only set the SameSite=None for certain URLs that the iframe interacts with.
I've followed this route which lets me add SameSite=None and secure just fine, and I added my own line to set 'None' or 'Lax' based on the REQUEST_PATH,
Adding 'SameSite=None;' cookies to Rails via Rack middleware?
# Only use 'None' for these two URLs
use_none = %w[extension sign_in].any? { |path| env['REQUEST_PATH'].include?(path) }
cookie_type = use_none ? 'None' : 'Lax'
new_set_cookie_header << " SameSite=#{cookie_type}"
However, any time that I go to one of the URLs that uses Lax, and then back to my iframe I get logged out and have to log back on.
Our session_store looks like this
Rails.application.config.session_store :cookie_store, key: _our_company_session
