I have a Rails app that has two broad flows, one is the Admin login and another is the Customer Web. I want to make the session cookie use the same_site: strict option as the application has sensitive data and involves money transactions.
Enabling same_site: strict breaks the Omniauth Google OAuth flow for logging into Admin and throws a CSRF error (because the session cookie is not being passed in the redirect).
Is there any way to make the OAuth work with same_site: strict option?
Or, is there any way in Rails to have two different session cookies one with strict and another with lax option and use them both in the individual flows?
I didn't find much around this, most posts just ask to use lax option. I tried using multiple session stores but Rails only ends up using one session for the entire application.