SameSite=None flag is not set on remember_token cookie

[ramanraja]

I have a Flask server with flask-login with Nginx redirecting the https calls from port 80 to 443. The front end running on my local machine uses Angular 2. So I have enabled CORS.
I have the following values in my flask configuration object:

    SESSION_COOKIE_SECURE = True
    SESSION_COOKIE_SAMESITE = 'None'   
    REMEMBER_COOKIE_SECURE = True
    REMEMBER_COOKIE_SAMESITE = 'None'  

flask-login correctly sets the SameSite=None parameter on my session cookie. But it fails to set the SameSite flag on the remember_token cookie. This makes the browser reject the cookie.

First I tried the Python literal None, which did not work. Later I tried the string 'None' including the quotes, and it worked for the session cookie. But it did not set the SameSite flag on my remember_token cookie. Even the Secure flag is not set.

The values from my browser are shown below.

remember_token=UI-99999|24a109091c35197c1f5579cf3a1fdbcf208bf956880e2b6...8115af0b432e40299c1857f99b30ab51; Expires=Fri, 01 Jul 2022 06:34:01 GMT; HttpOnly; Path=/

session=.eJwdjjEOwjAQBP_iGtD5nLPP-QENX4hs31pQBKSEVIi_Y1FtMavRfNzSNsUE8pOJaKZq....7kpt2dFeT9vdzJKZiC406LEP8m-93s6ewyTu-wPr9zq2.YpcIWQ.IBagkKGI8DgyDydj4VyD1xZgW-Q; Secure; HttpOnly; Path=/; SameSite=None
Vary:Origin, Cookie

[ramanraja]

Update: I found a work-around for the missing SameSite flag. I set up the flag in my Nginx proxy setting as follows:

        location / {
            proxy_pass http://127.0.0.1:8000;
            proxy_cookie_path / "/; SameSite=None; HTTPOnly; Secure";
}

This has solved the problem for me temporarily, but the original question still remains as to why Flask-login is unable to set the flag.