fix: make session cookie Secure attribute optional for HTTP/LAN dev
This commit is contained in:
+10
-2
@@ -2,19 +2,27 @@ package auth
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"os"
|
||||
"time"
|
||||
)
|
||||
|
||||
// SetSessionCookie writes the session cookie with secure defaults.
|
||||
// Shared by password login, registration, and WebAuthn login.
|
||||
func SetSessionCookie(w http.ResponseWriter, cookieName, token string, duration time.Duration) {
|
||||
secure := os.Getenv("COOKIE_SECURE") == "true"
|
||||
|
||||
sameSite := http.SameSiteLaxMode
|
||||
if secure {
|
||||
sameSite = http.SameSiteStrictMode
|
||||
}
|
||||
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: cookieName,
|
||||
Value: token,
|
||||
Path: "/",
|
||||
HttpOnly: true,
|
||||
Secure: true,
|
||||
SameSite: http.SameSiteStrictMode,
|
||||
Secure: secure,
|
||||
SameSite: sameSite,
|
||||
MaxAge: int(duration.Seconds()),
|
||||
})
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user