openedx · feanil · Jun 15, 2026 · Jun 15, 2026
diff --git a/README.rst b/README.rst
@@ -245,6 +245,20 @@ Tutor-based deployments satisfy this requirement automatically. For bare-metal
 or custom deployments, verify that ``CACHES['default']`` points at a shared
 Redis or Memcached instance before enabling these features.
 
+Session Cookie SameSite
+=======================
+
+Open edX's LMS <-> Studio SSO flow relies on the session cookie being sent
+on cross-site requests, which requires ``SESSION_COOKIE_SAMESITE = 'None'``.
+This is set automatically when ``lms/envs/production.py`` is loaded.
+
+If you run an LMS *without* loading ``production.py`` (e.g. a stripped-down
+setup that loads only ``lms/envs/common.py``), set ``SESSION_COOKIE_SAMESITE
+= 'None'`` in your settings yourself. ``SameSite=None`` cookies also require
+``SESSION_COOKIE_SECURE = True`` and HTTPS, so over plain HTTP use ``'Lax'``
+instead — in that case some cross-site flows (notably Studio SSO) will not
+work.
+
 .. _lms/djangoapps/lti_provider/README.rst: lms/djangoapps/lti_provider/README.rst
 
 License

diff --git a/lms/envs/common.py b/lms/envs/common.py
@@ -989,10 +989,6 @@
 
 ############################### DJANGO BUILT-INS ###############################
 
-# django-session-cookie middleware
-DCS_SESSION_COOKIE_SAMESITE = 'None'
-DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL = True
-
 # LMS base
 LMS_BASE = 'localhost:18000'
 

diff --git a/lms/envs/devstack.py b/lms/envs/devstack.py
@@ -474,10 +474,6 @@ def should_show_debug_toolbar(request):  # pylint: disable=missing-function-docs
 
 #####################################################################
 
-# django-session-cookie middleware
-DCS_SESSION_COOKIE_SAMESITE = 'Lax'
-DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL = True
-
 ########################## THEMING  #######################
 # If you want to enable theming in devstack, uncomment this section and add any relevant
 # theme directories to COMPREHENSIVE_THEME_DIRS

@@ -132,9 +132,10 @@ def get_env_setting(setting):
 
 DATA_DIR = path(DATA_DIR)  # noqa: F405
 
-# TODO: This was for backwards compatibility back when installed django-cookie-samesite (not since 2022).
-#       The DCS_ version of the setting can be DEPR'd at this point.
-SESSION_COOKIE_SAMESITE = DCS_SESSION_COOKIE_SAMESITE  # noqa: F405
+# Required to be 'None' so the session cookie is sent on cross-site requests
+# (e.g. LMS <-> Studio SSO). Browsers reject SameSite=None unless the cookie
+# is also Secure, so production deployments must serve over HTTPS.
+SESSION_COOKIE_SAMESITE = 'None'
 
 for feature, value in _YAML_TOKENS.get('FEATURES', {}).items():
     FEATURES[feature] = value