From d3ad460c9d6796b3e078d9cfbe1a36b0a61bfcd6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <f@miniflux.net>
Date: Tue, 5 Aug 2025 17:10:55 -0700
Subject: [PATCH] Revert "feat(cookie): use `SameSiteStrictMode` when not using
 OAuth2/OIDC"

This reverts commit 135ce1d54613778b58800627fbcedc3e64c64e24.

People using Miniflux as PWA on Android are constantly being logged out.
---
 internal/http/cookie/cookie.go | 20 ++++----------------
 1 file changed, 4 insertions(+), 16 deletions(-)

diff --git a/internal/http/cookie/cookie.go b/internal/http/cookie/cookie.go
index ae3988b6..94380274 100644
--- a/internal/http/cookie/cookie.go
+++ b/internal/http/cookie/cookie.go
@@ -18,26 +18,20 @@ const (
 
 // New creates a new cookie.
 func New(name, value string, isHTTPS bool, path string) *http.Cookie {
-	cookie := &http.Cookie{
+	return &http.Cookie{
 		Name:     name,
 		Value:    value,
 		Path:     basePath(path),
 		Secure:   isHTTPS,
 		HttpOnly: true,
 		Expires:  time.Now().Add(time.Duration(config.Opts.CleanupRemoveSessionsDays()) * 24 * time.Hour),
-		SameSite: http.SameSiteStrictMode,
+		SameSite: http.SameSiteLaxMode,
 	}
-
-	// OAuth doesn't work when cookies are in strict mode.
-	if config.Opts.OAuth2Provider() != "" {
-		cookie.SameSite = http.SameSiteLaxMode
-	}
-	return cookie
 }
 
 // Expired returns an expired cookie.
 func Expired(name string, isHTTPS bool, path string) *http.Cookie {
-	cookie := &http.Cookie{
+	return &http.Cookie{
 		Name:     name,
 		Value:    "",
 		Path:     basePath(path),
@@ -45,14 +39,8 @@ func Expired(name string, isHTTPS bool, path string) *http.Cookie {
 		HttpOnly: true,
 		MaxAge:   -1,
 		Expires:  time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC),
-		SameSite: http.SameSiteStrictMode,
+		SameSite: http.SameSiteLaxMode,
 	}
-
-	// OAuth doesn't work when cookies are in strict mode.
-	if config.Opts.OAuth2Provider() != "" {
-		cookie.SameSite = http.SameSiteLaxMode
-	}
-	return cookie
 }
 
 func basePath(path string) string {