SameSite=None requires Secure=true per browser spec. When running over plain HTTP (local dev, e2e tests), browsers reject or downgrade the cookie, breaking session refresh. Fall back to SameSite=Lax for HTTP while keeping SameSite=None for HTTPS (needed for the Electron desktop app cross-origin scenario). |
||
|---|---|---|
| .. | ||
| ldap | ||
| openid | ||
| auth.go | ||