package auth import ( "net/http" "os" "time" ) // SetSessionCookie writes the session cookie with secure defaults. // Shared by password login, registration, and WebAuthn login. func SetSessionCookie(w http.ResponseWriter, cookieName, token string, duration time.Duration) { secure := os.Getenv("COOKIE_SECURE") != "false" http.SetCookie(w, &http.Cookie{ Name: cookieName, Value: token, Path: "/", HttpOnly: true, Secure: secure, SameSite: http.SameSiteLaxMode, MaxAge: int(duration.Seconds()), }) }