fix: make session cookie Secure attribute optional for HTTP/LAN dev

This commit is contained in:
root
2026-06-29 16:19:58 +00:00
parent d122133e93
commit a81a8e6901
+10 -2
View File
@@ -2,19 +2,27 @@ package auth
import ( import (
"net/http" "net/http"
"os"
"time" "time"
) )
// SetSessionCookie writes the session cookie with secure defaults. // SetSessionCookie writes the session cookie with secure defaults.
// Shared by password login, registration, and WebAuthn login. // Shared by password login, registration, and WebAuthn login.
func SetSessionCookie(w http.ResponseWriter, cookieName, token string, duration time.Duration) { func SetSessionCookie(w http.ResponseWriter, cookieName, token string, duration time.Duration) {
secure := os.Getenv("COOKIE_SECURE") == "true"
sameSite := http.SameSiteLaxMode
if secure {
sameSite = http.SameSiteStrictMode
}
http.SetCookie(w, &http.Cookie{ http.SetCookie(w, &http.Cookie{
Name: cookieName, Name: cookieName,
Value: token, Value: token,
Path: "/", Path: "/",
HttpOnly: true, HttpOnly: true,
Secure: true, Secure: secure,
SameSite: http.SameSiteStrictMode, SameSite: sameSite,
MaxAge: int(duration.Seconds()), MaxAge: int(duration.Seconds()),
}) })
} }