[bugfix] Only mark cookies as Secure on https (#398)

Fixes cookies not being stored/sent by Safari when serving over plain http
author: Shadowfacts <me@shadowfacts.net> 2022-02-15 10:00:07 -0500
committer: GitHub <noreply@github.com> 2022-02-15 16:00:07 +0100
commit: 09d6478d72fb91b7e18fbd96abebbfd574e02a6b (patch)
tree: 7d6d0a364b6ad9d739098b56069a30e4f2917b14 /internal/router
parent: [chore] fix mirror + clean up (#396) (diff)
download: gotosocial-09d6478d72fb91b7e18fbd96abebbfd574e02a6b.tar.xz
1 files changed, 4 insertions, 4 deletions
diff --git a/internal/router/session.go b/internal/router/session.go
index 066024601..be29b01c9 100644
--- a/internal/router/session.go
+++ b/internal/router/session.go
@@ -38,10 +38,10 @@ func SessionOptions() sessions.Options {
 	return sessions.Options{
 		Path:     "/",
 		Domain:   viper.GetString(config.Keys.Host),
-		MaxAge:   120,                      // 2 minutes
-		Secure:   true,                     // only use cookie over https
-		HttpOnly: true,                     // exclude javascript from inspecting cookie
-		SameSite: http.SameSiteDefaultMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+		MaxAge:   120,                                              // 2 minutes
+		Secure:   viper.GetString(config.Keys.Protocol) == "https", // only use cookie over https
+		HttpOnly: true,                                             // exclude javascript from inspecting cookie
+		SameSite: http.SameSiteDefaultMode,                         // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
 	}
 }
author	Shadowfacts <me@shadowfacts.net>	2022-02-15 10:00:07 -0500
committer	GitHub <noreply@github.com>	2022-02-15 16:00:07 +0100
commit	09d6478d72fb91b7e18fbd96abebbfd574e02a6b (patch)
tree	7d6d0a364b6ad9d739098b56069a30e4f2917b14 /internal/router
parent	[chore] fix mirror + clean up (#396) (diff)
download	gotosocial-09d6478d72fb91b7e18fbd96abebbfd574e02a6b.tar.xz