fix(auth): use SameSite=None for refresh token cookie to fix desktop app
SameSite=Strict prevents the browser from sending the HttpOnly refresh token cookie in cross-origin contexts like the Electron desktop app, where the page runs on localhost but the API is on a remote host. This caused sessions to expire quickly because refresh requests never included the cookie. SameSite=None allows cross-origin sending while HttpOnly still prevents JavaScript from reading the cookie value (XSS protection). Resolves #2309
This commit is contained in:
parent
79dbb40985
commit
28f98a7a96
|
|
@ -62,7 +62,7 @@ func SetRefreshTokenCookie(c *echo.Context, token string, maxAge int) {
|
|||
MaxAge: maxAge,
|
||||
HttpOnly: true,
|
||||
Secure: secure,
|
||||
SameSite: http.SameSiteStrictMode,
|
||||
SameSite: http.SameSiteNoneMode,
|
||||
})
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue