Merge pull request #3937 from pulibrary/fix-cas-login-for-devs

Fix CAS Login for local development
pulibrary · Jan 13, 2024 · d4bc0d7 · d4bc0d7
2 parents 13f40b6 + 899e0f3
commit d4bc0d7
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/config/initializers/cookies_serializer.rb b/config/initializers/cookies_serializer.rb
@@ -3,4 +3,9 @@
 # Be sure to restart your server when you modify this file.
 
 Rails.application.config.action_dispatch.cookies_serializer = :json
-Rails.application.config.action_dispatch.cookies_same_site_protection = :strict
+
+# Strict Same Site Protection protects users from CSRF attacks from non-Princeton
+# domains.  However, when running orangelight on localhost, the CAS login page is
+# on a different domain from orangelight (localhost vs. *.princeton.edu), so
+# we exclude the dev environment from these protections so they can use CAS locally.
+Rails.application.config.action_dispatch.cookies_same_site_protection = :strict unless Rails.env.development?