1. Bert, thank you! 2. Mike, this stuff is generally a mess:
There are now 4 valid options for a cookie: Python Value | Cookie Value (all strings) None | "None" | None < this is the new "experimental" one that google has forced "Strict" | Strict "Lax" | Lax You are supposed to still have the behavior you desire as long as the samesite is "lax" and the cookie has a "domain" attribute. That's the public hope, at least. There are some releases of specific browsers that are broken. It is a mess. However, you need to understand these changes mean that the experience is definitely going to break for some amount of users, as some browsers can't handle the samesite values. Browser sniffing can help get around that. My approach would be deciding which users to prioritize and if you need to work on browser sniffing. I would look at your traffic logs to decide that. If you have a lot of chrome traffic, you need to do browser testing WITH SPECIFIC CHROME FLAGS SET. Not all installations of chrome have these set. IIRC the flags you want to enable are: chrome://flags/#same-site-by-default-cookies chrome://flags/#cookies-without-same-site-must-be-secure -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/63b211be-0190-4458-a376-8efc2817644a%40googlegroups.com.