diff --git a/internal/auth/cookie.go b/internal/auth/cookie.go index d6e4872..e426edd 100644 --- a/internal/auth/cookie.go +++ b/internal/auth/cookie.go @@ -2,19 +2,27 @@ package auth import ( "net/http" + "os" "time" ) // SetSessionCookie writes the session cookie with secure defaults. // Shared by password login, registration, and WebAuthn login. func SetSessionCookie(w http.ResponseWriter, cookieName, token string, duration time.Duration) { + secure := os.Getenv("COOKIE_SECURE") == "true" + + sameSite := http.SameSiteLaxMode + if secure { + sameSite = http.SameSiteStrictMode + } + http.SetCookie(w, &http.Cookie{ Name: cookieName, Value: token, Path: "/", HttpOnly: true, - Secure: true, - SameSite: http.SameSiteStrictMode, + Secure: secure, + SameSite: sameSite, MaxAge: int(duration.Seconds()), }) }