I have a shopify app built in Django that was working fine up until recently. The sessions are not persisting across each request and as a result an exception is being raised because the session for that given key that was set in the previous request does not exist. Trying the app endpoints outside of Shopify works fine, the sessions persist perfectly between requests so it definitely is an issue within Shopify.
Looking at the sessions table in our database we see multiple sessionkeys with the same data, this indicates another session is being created per request. How do we persist sessions across requests in an iframe?
The version of Django being used was 2.1 which now includes a new feature which helps prevent CSRF attacks. According to the docs the new SESSION_COOKIE_SAMESITE defaults to a value of 'Lax' which is a middle ground between 'Strict' and None.
This feature obviously works well for standalone Django apps but causes them to break when in an iframe similar to Shopify. Setting SESSION_COOKIE_SAMESITE = None in settings.py resolved the issue.