fix: make session cookie Secure attribute optional for HTTP/LAN dev

This commit is contained in:
root
2026-06-29 16:19:58 +00:00
parent d122133e93
commit a81a8e6901
+10 -2
View File
@@ -2,19 +2,27 @@ package auth
import (
"net/http"
"os"
"time"
)
// SetSessionCookie writes the session cookie with secure defaults.
// Shared by password login, registration, and WebAuthn login.
func SetSessionCookie(w http.ResponseWriter, cookieName, token string, duration time.Duration) {
secure := os.Getenv("COOKIE_SECURE") == "true"
sameSite := http.SameSiteLaxMode
if secure {
sameSite = http.SameSiteStrictMode
}
http.SetCookie(w, &http.Cookie{
Name: cookieName,
Value: token,
Path: "/",
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteStrictMode,
Secure: secure,
SameSite: sameSite,
MaxAge: int(duration.Seconds()),
})
}