Cookie mode (#7162)

* Add ability to set cookie mode

* Update docs

* Better validation of cookie mode

* Docs updates

* Update error msg

* Update config.md

Change default samesite mode to None

* Update settings.py

Default mode is None

* Update config_template.yaml

Change default value in config file template

src/backend/InvenTree/InvenTree/settings.py

@@ -1106,13 +1106,27 @@ if (
     )
     sys.exit(-1)
 
+COOKIE_MODE = (
+    str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'None'))
+    .lower()
+    .strip()
+)
+
+valid_cookie_modes = {'lax': 'Lax', 'strict': 'Strict', 'none': None, 'null': None}
+
+if COOKIE_MODE not in valid_cookie_modes.keys():
+    logger.error('Invalid cookie samesite mode: %s', COOKIE_MODE)
+    sys.exit(-1)
+
+COOKIE_MODE = valid_cookie_modes[COOKIE_MODE.lower()]
+
 # Additional CSRF settings
 CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN'
 CSRF_COOKIE_NAME = 'csrftoken'
-CSRF_COOKIE_SAMESITE = 'Lax'
-SESSION_COOKIE_SAMESITE = 'Lax'
+CSRF_COOKIE_SAMESITE = COOKIE_MODE
+SESSION_COOKIE_SAMESITE = COOKIE_MODE
 SESSION_COOKIE_SECURE = get_boolean_setting(
-    'INVENTREE_SESSION_COOKIE_SECURE', 'session_cookie_secure', False
+    'INVENTREE_SESSION_COOKIE_SECURE', 'cookie.secure', False
 )
 
 USE_X_FORWARDED_HOST = get_boolean_setting(

src/backend/InvenTree/config_template.yaml

@@ -181,6 +181,11 @@ use_x_forwarded_host: false
 # Override with the environment variable INVENTREE_USE_X_FORWARDED_PORT
 use_x_forwarded_port: false
 
+# Cookie settings
+cookie:
+  secure: false
+  samesite: none
+
 # Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers)
 cors:
   allow_all: true