mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix download cookie: SameSite Strict blocks cookie on POST redirect

Browse Source 
SameSite=Strict prevents the browser from sending the auth cookie when
following a redirect from a cross-context POST (form submission) to a
GET. Changing to SameSite=Lax allows the cookie to be sent on top-level
navigations (including redirects), so the /pki/download/{token} handler
receives the auth cookie and serves the tgz.

Co-authored-by: Junie <junie@jetbrains.com>
This commit is contained in:
Kyle Isom
2026-03-15 13:50:22 -07:00
parent 4469c650cc
commit 02ee538213
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/webserver/routes.go
View File

@@ -179,7 +179,7 @@ func (ws *WebServer) handleLogin(w http.ResponseWriter, r *http.Request) {
Path: "/",
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteStrictMode,
SameSite: http.SameSiteLaxMode,
})
http.Redirect(w, r, "/dashboard", http.StatusFound)
default: