Index: /branches/rel_apv_10_7/usr/click/webui/htdocs/new/src/djproject/settings.py
===================================================================
--- /branches/rel_apv_10_7/usr/click/webui/htdocs/new/src/djproject/settings.py	(revision 38229)
+++ /branches/rel_apv_10_7/usr/click/webui/htdocs/new/src/djproject/settings.py	(working copy)
@@ -102,12 +102,16 @@
     # 'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'django.middleware.locale.LocaleMiddleware',
     'hive.session.HiveSessionMiddleware',
+    'hive.session.CookiesSameSiteMiddleWare',  # Attetion: This is for the version under Python 3.8, above Python 3.8 can remove the function
     'hive.router.webui_restapi_switch_middleware',
 )
 
 CSRF_COOKIE_SECURE = True
 CSRF_COOKIE_HTTPONLY = True
 
+SESSION_COOKIE_SAMESITE = 'Lax'
+SESSION_COOKIE_SAMESITE_FORCE_ALL = True
+
 ROOT_URLCONF = 'djproject.urls'
 
 # Python dotted path to the WSGI application used by Django's runserver.
Index: /branches/rel_apv_10_7/usr/click/webui/htdocs/new/src/hive/session.py
===================================================================
--- /branches/rel_apv_10_7/usr/click/webui/htdocs/new/src/hive/session.py	(revision 38229)
+++ /branches/rel_apv_10_7/usr/click/webui/htdocs/new/src/hive/session.py	(working copy)
@@ -24,6 +24,12 @@
 from hive.two_factor import cmd_direct
 from hive.model.query import set_thread_time
 from urllib import quote, unquote
+# Cookie library has moved to http in python3
+try:
+    import Cookie
+except ImportError:
+    import http.cookies as Cookie
+Cookie.Morsel._reserved.update({"samesite": "SameSite"})
     
 class ANSession(object):
     _session_pool = {}
@@ -778,3 +784,87 @@
                     sess.cli.quit()
         return response
 
+def get_config_setting(setting_name, default_value=None):
+    """Load the Django setting with DCS_ prefix and fallback to the legacy name if not found."""
+    return getattr(
+        settings,
+        "DCS_{}".format(setting_name),
+        getattr(settings, setting_name, default_value),
+    )
+
+class CookiesSameSiteMiddleWare(object):
+    """
+    Support for SameSite attribute in Cookies is fully implemented in Django 3.1 and won't
+    be back-ported to Django 3.0 or earlier.
+
+    This middleware will be obsolete when your app will start using Django 3.1.
+    """
+
+    def __init__(self, *args, **kwargs):
+        self.protected_cookies = get_config_setting(
+            "SESSION_COOKIE_SAMESITE_KEYS", set()
+        )
+
+        if not isinstance(self.protected_cookies, (list, set, tuple)):
+            raise ValueError(
+                "SESSION_COOKIE_SAMESITE_KEYS should be a list, set or tuple."
+            )
+
+        self.protected_cookies = set(self.protected_cookies)
+        if get_config_setting("SESSION_COOKIE_SAMESITE_FORCE_CORE", True):
+            self.protected_cookies |= {
+                settings.SESSION_COOKIE_NAME,
+                settings.CSRF_COOKIE_NAME,
+            }
+
+        samesite_flag = get_config_setting("SESSION_COOKIE_SAMESITE", "")
+        self.samesite_flag = (
+            str(samesite_flag).capitalize() if samesite_flag is not None else ""
+        )
+        self.samesite_force_all = get_config_setting(
+            "SESSION_COOKIE_SAMESITE_FORCE_ALL"
+        )
+        # SAMESITE_DEVMODE=True means, use Lax if http request.
+        self.devmode = bool(get_config_setting("SAMESITE_DEVMODE"))
+
+        return super(CookiesSameSiteMiddleWare, self).__init__(*args, **kwargs)
+
+    def update_cookie(self, cookie, request, response):
+        https = request.is_secure()
+        if self.devmode and not https:
+            flag = "Lax"
+        else:
+            flag = self.samesite_flag
+        response.cookies[cookie]["samesite"] = flag
+        if https:
+            response.cookies[cookie]["secure"] = True
+
+    def process_response(self, request, response):
+        # same-site = None introduced for Chrome 80 breaks for Chrome 51-66
+        # Refer (https://www.chromium.org/updates/same-site/incompatible-clients)
+        # Some of HTTP Clients have non-ascii characters in their User Agents. The most feasible solution to that
+        # problem is to ignore all non-ascii characters.
+        # Related: https://stackoverflow.com/questions/4400678/what-character-encoding-should-i-use-for-a-http-header
+
+        # if LooseVersion(django.get_version()) >= LooseVersion(DJANGO_SUPPORTED_VERSION):
+        #     raise DeprecationWarning(
+        #         "Your version of Django supports SameSite flag in the cookies mechanism. "
+        #         "You should remove django-cookies-samesite from your project."
+        #     )
+
+        if not self.samesite_flag:
+            return response
+
+        # TODO: capitalize those values
+        if self.samesite_flag not in {"Lax", "None", "Strict"}:
+            raise ValueError('samesite must be "Lax", "None", or "Strict".')
+
+        if self.samesite_force_all:
+            for cookie in response.cookies:
+                self.update_cookie(cookie, request, response)
+        else:
+            for cookie in self.protected_cookies:
+                if cookie in response.cookies:
+                    self.update_cookie(cookie, request, response)
+
+        return response