Fork me on GitHub

Hi there. I am using the ring session middleware to implement sessions. I had the :cookie-attrs set to {:max-age cookie-expiry-time} which was ok but now browsers are changing their behavoir. And I recently got the warning in firefox: Cookie “myCookie” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite” attribute, read . So i need to upgrade my cookies to be secure. So I set :cookie-attrs to {:max-age cookie-expiry-time :secure true}, and this does set the Secure flag on the sent cookie. However, clients with existing cookies with Secure=false do not get a new upgraded cookie sent to them. If the cookie is sent from the client ring adopts it and uses it for the session id. I need it to send a new upgraded cookie setting in the response if the client sent cookie does not match the one that would be sent (like doesnt have secure set). Is there some setting in the middleware to achieve this behavior?