Commit 68ed622
fix(auth): derive cookie Secure flag from request scheme
Previously session and CSRF cookies always had Secure=True, causing
browsers to reject them on plain-HTTP connections (e.g. VPN access
without TLS termination). Now secure= follows request.url.scheme so
cookies work on HTTP while remaining Secure on HTTPS.
When behind a TLS-terminating proxy the scheme is rewritten to https
via X-Forwarded-Proto (trusted proxy), so Secure is preserved there.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>1 parent 5fd73ad commit 68ed622
3 files changed
Lines changed: 7 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
30 | 30 | | |
31 | 31 | | |
32 | 32 | | |
33 | | - | |
| 33 | + | |
34 | 34 | | |
35 | 35 | | |
36 | 36 | | |
37 | 37 | | |
38 | | - | |
| 38 | + | |
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
259 | 259 | | |
260 | 260 | | |
261 | 261 | | |
262 | | - | |
263 | | - | |
| 262 | + | |
| 263 | + | |
| 264 | + | |
264 | 265 | | |
265 | 266 | | |
266 | 267 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
276 | 276 | | |
277 | 277 | | |
278 | 278 | | |
279 | | - | |
| 279 | + | |
280 | 280 | | |
281 | 281 | | |
282 | 282 | | |
283 | 283 | | |
284 | | - | |
| 284 | + | |
285 | 285 | | |
286 | 286 | | |
287 | 287 | | |
| |||
0 commit comments