From 31b7b61bb09bde399127cb688fdf57070793ba12 Mon Sep 17 00:00:00 2001 From: primal Date: Fri, 30 Jan 2026 16:05:59 -0500 Subject: [PATCH] v39: Fix session cookie Secure flag for HTTP --- oauth_handlers.go | 2 +- oauth_session.go | 7 +++++-- templates.go | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/oauth_handlers.go b/oauth_handlers.go index 62c5eaa..d621811 100644 --- a/oauth_handlers.go +++ b/oauth_handlers.go @@ -287,7 +287,7 @@ func (m *OAuthManager) HandleCallback(w http.ResponseWriter, r *http.Request) { m.sessions.UpdateSession(session) // Set session cookie - if err := m.SetSessionCookie(w, session.ID); err != nil { + if err := m.SetSessionCookie(w, r, session.ID); err != nil { http.Error(w, fmt.Sprintf("Failed to set cookie: %v", err), http.StatusInternalServerError) return } diff --git a/oauth_session.go b/oauth_session.go index ad924bc..28a51c9 100644 --- a/oauth_session.go +++ b/oauth_session.go @@ -236,18 +236,21 @@ func decryptSessionID(encrypted string, key []byte) (string, error) { } // SetSessionCookie sets an encrypted session cookie -func (m *OAuthManager) SetSessionCookie(w http.ResponseWriter, sessionID string) error { +func (m *OAuthManager) SetSessionCookie(w http.ResponseWriter, r *http.Request, sessionID string) error { encrypted, err := encryptSessionID(sessionID, m.cookieSecret) if err != nil { return err } + // Only set Secure flag for HTTPS connections + secure := r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https" + http.SetCookie(w, &http.Cookie{ Name: sessionCookieName, Value: encrypted, Path: "/", HttpOnly: true, - Secure: true, + Secure: secure, SameSite: http.SameSiteLaxMode, MaxAge: int(sessionTTL.Seconds()), }) diff --git a/templates.go b/templates.go index 01f478e..1663261 100644 --- a/templates.go +++ b/templates.go @@ -534,7 +534,7 @@ const dashboardHTML = `
-
v38
+
v39
Last updated: {{.UpdatedAt.Format "2006-01-02 15:04:05"}}