Skip to content

Commit

Permalink
set sameSite to lax when allowing insecure cookies (#1078)
Browse files Browse the repository at this point in the history
  • Loading branch information
@nsarrazin
nsarrazin authored Apr 26, 2024
1 parent 745e51e commit bc30bd1
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion src/lib/server/auth.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ export function refreshSessionCookie(cookies: Cookies, sessionId: string) {
cookies.set(COOKIE_NAME, sessionId, {
path: "/",
// So that it works inside the space's iframe
sameSite: dev ? "lax" : "none",
sameSite: dev || ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none",
secure: !dev && !(ALLOW_INSECURE_COOKIES === "true"),
httpOnly: true,
expires: addWeeks(new Date(), 2),
Expand Down
2 changes: 1 addition & 1 deletion src/routes/logout/+page.server.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ export const actions = {
cookies.delete(COOKIE_NAME, {
path: "/",
// So that it works inside the space's iframe
sameSite: dev ? "lax" : "none",
sameSite: dev || ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none",
secure: !dev && !(ALLOW_INSECURE_COOKIES === "true"),
httpOnly: true,
});
Expand Down

0 comments on commit bc30bd1

Please sign in to comment.