feat(cookie): use SameSiteStrictMode when not using OAuth2/OIDC

2025-08-06 17:41:00 +00:00 · 2025-07-09 04:20:24 +02:00 · 2025-07-09 04:20:24 +02:00 · 135ce1d546
commit 135ce1d546
parent abed7b11ce
1 changed files with 16 additions and 4 deletions
--- a/internal/http/cookie/cookie.go
+++ b/internal/http/cookie/cookie.go
@ -18,20 +18,26 @@ const (

 // New creates a new cookie.
 func New(name, value string, isHTTPS bool, path string) *http.Cookie {
-	return &http.Cookie{
+	cookie := &http.Cookie{
 		Name:     name,
 		Value:    value,
 		Path:     basePath(path),
 		Secure:   isHTTPS,
 		HttpOnly: true,
 		Expires:  time.Now().Add(time.Duration(config.Opts.CleanupRemoveSessionsDays()) * 24 * time.Hour),
-		SameSite: http.SameSiteLaxMode,
+		SameSite: http.SameSiteStrictMode,
 	}
+
+	// OAuth doesn't work when cookies are in strict mode.
+	if config.Opts.OAuth2Provider() != "" {
+		cookie.SameSite = http.SameSiteLaxMode
+	}
+	return cookie
 }

 // Expired returns an expired cookie.
 func Expired(name string, isHTTPS bool, path string) *http.Cookie {
-	return &http.Cookie{
+	cookie := &http.Cookie{
 		Name:     name,
 		Value:    "",
 		Path:     basePath(path),
@ -39,8 +45,14 @@ func Expired(name string, isHTTPS bool, path string) *http.Cookie {
 		HttpOnly: true,
 		MaxAge:   -1,
 		Expires:  time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC),
-		SameSite: http.SameSiteLaxMode,
+		SameSite: http.SameSiteStrictMode,
 	}
+
+	// OAuth doesn't work when cookies are in strict mode.
+	if config.Opts.OAuth2Provider() != "" {
+		cookie.SameSite = http.SameSiteLaxMode
+	}
+	return cookie
 }

 func basePath(path string) string {