From a81a8e69015db6794123d2deb479894794b7a399 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 29 Jun 2026 16:19:58 +0000 Subject: [PATCH] fix: make session cookie Secure attribute optional for HTTP/LAN dev --- internal/auth/cookie.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/internal/auth/cookie.go b/internal/auth/cookie.go index d6e4872..e426edd 100644 --- a/internal/auth/cookie.go +++ b/internal/auth/cookie.go @@ -2,19 +2,27 @@ package auth import ( "net/http" + "os" "time" ) // SetSessionCookie writes the session cookie with secure defaults. // Shared by password login, registration, and WebAuthn login. func SetSessionCookie(w http.ResponseWriter, cookieName, token string, duration time.Duration) { + secure := os.Getenv("COOKIE_SECURE") == "true" + + sameSite := http.SameSiteLaxMode + if secure { + sameSite = http.SameSiteStrictMode + } + http.SetCookie(w, &http.Cookie{ Name: cookieName, Value: token, Path: "/", HttpOnly: true, - Secure: true, - SameSite: http.SameSiteStrictMode, + Secure: secure, + SameSite: sameSite, MaxAge: int(duration.Seconds()), }) }