From 2f65b9e001eeef0f2494cb1d1cc958a91c74d190 Mon Sep 17 00:00:00 2001
From: Kieran Lane <git@klane.co.uk>
Date: Tue, 21 Oct 2025 13:35:55 +0100
Subject: [PATCH] Update `oidc_session_no_samesite` cookie to be `Secure`
 (#19079)

---
 changelog.d/19079.bugfix | 1 +
 synapse/handlers/oidc.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 changelog.d/19079.bugfix

diff --git a/changelog.d/19079.bugfix b/changelog.d/19079.bugfix
new file mode 100644
index 000000000..a7d9800d1
--- /dev/null
+++ b/changelog.d/19079.bugfix
@@ -0,0 +1 @@
+Fix the `oidc_session_no_samesite` cookie to have the `Secure` attribute, so the only difference between it and the paired `oidc_session` cookie, is the configuration of the `SameSite` attribute as described in the comments / cookie names. Contributed by @kieranlane.
\ No newline at end of file
diff --git a/synapse/handlers/oidc.py b/synapse/handlers/oidc.py
index fc93c6b2a..39505463b 100644
--- a/synapse/handlers/oidc.py
+++ b/synapse/handlers/oidc.py
@@ -96,7 +96,7 @@ logger = logging.getLogger(__name__)
 # Here we have the names of the cookies, and the options we use to set them.
 _SESSION_COOKIES = [
     (b"oidc_session", b"HttpOnly; Secure; SameSite=None"),
-    (b"oidc_session_no_samesite", b"HttpOnly"),
+    (b"oidc_session_no_samesite", b"HttpOnly; Secure"),
 ]