Set same_site to lax on session cookie if OIDC enabled

2026-02-18 23:42:07 +01:00 · 2025-10-07 10:40:25 -04:00
parent bf85a89265
commit 6d1218246b
1 changed files with 2 additions and 1 deletions
--- a/backend/main.py
+++ b/backend/main.py
@@ -19,6 +19,7 @@ from config import (
    DEV_PORT,
    DISABLE_CSRF_PROTECTION,
    IS_PYTEST_RUN,
+    OIDC_ENABLED,
    ROMM_AUTH_SECRET_KEY,
    SENTRY_DSN,
 )
@@ -105,7 +106,7 @@ app.add_middleware(
    SessionMiddleware,
    secret_key=ROMM_AUTH_SECRET_KEY,
    session_cookie="romm_session",
-    same_site="strict",
+    same_site="lax" if OIDC_ENABLED else "strict",
    https_only=False,
    jwt_alg=ALGORITHM,
 )