Is it possible to change cookie settings on certain requests?

[marcaddeo]

I'm implementing some OAuth logins with axum_login/tower_sessions and have found that SameSite=Strict causes issues on the redirect for some OAuth providers (Discord).

To get around this, one can add an intermediary redirect in the redirect chain that hits a page that has a <meta http-equiv="refresh" content="0;URL='http://thetudors.example.com/'" /> to "instantly" redirect the user to the next page so that a cookie is properly set and the original state can be retrieved from the session store.

However, that "instant" redirect isn't very instant and feels a bit hacky.

So what I was hoping to do was set the cookie to SameSite=Lax when starting the OAuth flow, and then upgrading it to SameSite=Strict after the OAuth flow has completed.

Or, if there's a better way to accomplish this I'd love to know!

[maxcountryman]

Setting SameSite to Lax is generally the easiest approach.

Currently there is no way to dynamically reconfigure SameSite as the cookie service is running.