From 6d1218246b9643ddac2ea4a83eed83db7e7f0eaf Mon Sep 17 00:00:00 2001
From: Georges-Antoine Assi <contact@me.gantoine.com>
Date: Tue, 7 Oct 2025 10:40:25 -0400
Subject: [PATCH] Set same_site to lax on session cookie if OIDC enabled

---
 backend/main.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/backend/main.py b/backend/main.py
index 3e7eddbc8..a4058b5db 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -19,6 +19,7 @@ from config import (
     DEV_PORT,
     DISABLE_CSRF_PROTECTION,
     IS_PYTEST_RUN,
+    OIDC_ENABLED,
     ROMM_AUTH_SECRET_KEY,
     SENTRY_DSN,
 )
@@ -105,7 +106,7 @@ app.add_middleware(
     SessionMiddleware,
     secret_key=ROMM_AUTH_SECRET_KEY,
     session_cookie="romm_session",
-    same_site="strict",
+    same_site="lax" if OIDC_ENABLED else "strict",
     https_only=False,
     jwt_alg=ALGORITHM,
 )