v39: Fix session cookie Secure flag for HTTP

oauth_handlers.go

@@ -287,7 +287,7 @@ func (m *OAuthManager) HandleCallback(w http.ResponseWriter, r *http.Request) {
 	m.sessions.UpdateSession(session)
 
 	// Set session cookie
-	if err := m.SetSessionCookie(w, session.ID); err != nil {
+	if err := m.SetSessionCookie(w, r, session.ID); err != nil {
 		http.Error(w, fmt.Sprintf("Failed to set cookie: %v", err), http.StatusInternalServerError)
 		return
 	}

oauth_session.go

@@ -236,18 +236,21 @@ func decryptSessionID(encrypted string, key []byte) (string, error) {
 }
 
 // SetSessionCookie sets an encrypted session cookie
-func (m *OAuthManager) SetSessionCookie(w http.ResponseWriter, sessionID string) error {
+func (m *OAuthManager) SetSessionCookie(w http.ResponseWriter, r *http.Request, sessionID string) error {
 	encrypted, err := encryptSessionID(sessionID, m.cookieSecret)
 	if err != nil {
 		return err
 	}
 
+	// Only set Secure flag for HTTPS connections
+	secure := r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https"
+
 	http.SetCookie(w, &http.Cookie{
 		Name:     sessionCookieName,
 		Value:    encrypted,
 		Path:     "/",
 		HttpOnly: true,
-		Secure:   true,
+		Secure:   secure,
 		SameSite: http.SameSiteLaxMode,
 		MaxAge:   int(sessionTTL.Seconds()),
 	})

templates.go

@@ -534,7 +534,7 @@ const dashboardHTML = `<!DOCTYPE html>
         <div id="output"></div>
     </div>
 
-    <div style="color: #333; font-size: 11px; margin-top: 10px;">v38</div>
+    <div style="color: #333; font-size: 11px; margin-top: 10px;">v39</div>
 
     <div class="updated" id="updatedAt">Last updated: {{.UpdatedAt.Format "2006-01-02 15:04:05"}}</div>
 </body>