Update oidc_session_no_samesite cookie to be Secure (#19079)

2025-10-21 13:35:55 +01:00 · 2025-10-21 13:35:55 +01:00 · 2f65b9e001
commit 2f65b9e001
parent 418c9f3fe5
2 changed files with 2 additions and 1 deletions
--- a/changelog.d/19079.bugfix
+++ b/changelog.d/19079.bugfix
@ -0,0 +1 @@
+Fix the `oidc_session_no_samesite` cookie to have the `Secure` attribute, so the only difference between it and the paired `oidc_session` cookie, is the configuration of the `SameSite` attribute as described in the comments / cookie names. Contributed by @kieranlane.
--- a/synapse/handlers/oidc.py
+++ b/synapse/handlers/oidc.py
@ -96,7 +96,7 @@ logger = logging.getLogger(__name__)
 # Here we have the names of the cookies, and the options we use to set them.
 _SESSION_COOKIES = [
    (b"oidc_session", b"HttpOnly; Secure; SameSite=None"),
-    (b"oidc_session_no_samesite", b"HttpOnly"),
+    (b"oidc_session_no_samesite", b"HttpOnly; Secure"),
 ]
				`@ -0,0 +1 @@`
				Fix the `oidc_session_no_samesite` cookie to have the `Secure` attribute, so the only difference between it and the paired `oidc_session` cookie, is the configuration of the `SameSite` attribute as described in the comments / cookie names. Contributed by @kieranlane.