DHIS2 Session Cookies

---

Use Case

A need to connect external web application to DHIS2 instances, but DHIS2 does not by default provide access to the session cookie if you try and login from a different domain. The DHIS2 docs give a workaround – is this possible or is it bad practice?

---

This relates to the SameSite attribute of the session Cookie. In DHIS 2 we use SameSite Lax, which means that Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link). So this is expected. 

This is also the new default for cookies in Chrome. You can read more here:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

To help it would be good to learn a bit more about the use-case.

One approach is to host this external web application on the same domain as DHIS 2, e.g. using a proxy pass/forward in NGINX.

Another approach is to convert the web app to a DHIS 2 web app.

Lastly if the web app has a backend component, the backend could proxy requests to DHIS 2 server-to-server to avoid the cross-site aspect. Not sure what is feasible here. 

In DHIS 2.37 we also have the personal access tokens which might be helpful.https://docs.dhis2.org/en/use/user-guides/dhis-core-version-237/working-with-your-account/personal-access-tokens.html