From e5d1c93034304538867b0e519c83cf8b31b6288b Mon Sep 17 00:00:00 2001 From: gilesb Date: Fri, 9 Jan 2026 17:40:14 +0000 Subject: [PATCH] Remove cross-subdomain cookie sharing, use lax SameSite L1 servers now verify tokens by calling L2's /auth/verify endpoint, so L2 no longer needs to share cookies across subdomains. Each L1 sets its own first-party cookie via its /auth endpoint. Co-Authored-By: Claude Opus 4.5 --- server.py | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/server.py b/server.py index 5170e15..04b77b6 100644 --- a/server.py +++ b/server.py @@ -433,15 +433,14 @@ async def ui_login_submit(request: Request): ''') - # Always set cookie on L2 as well + # Set cookie for L2 only (L1 servers set their own cookies via /auth endpoint) response.set_cookie( key="auth_token", value=token.access_token, httponly=True, max_age=60 * 60 * 24 * 30, # 30 days - samesite="none", - domain=COOKIE_DOMAIN, # Share across subdomains - secure=True # Required for cross-subdomain cookies + samesite="lax", + secure=True ) return response @@ -525,9 +524,8 @@ async def ui_register_submit(request: Request): value=token.access_token, httponly=True, max_age=60 * 60 * 24 * 30, # 30 days - samesite="none", - domain=COOKIE_DOMAIN, # Share across subdomains - secure=True # Required for cross-subdomain cookies + samesite="lax", + secure=True ) return response