Remove cross-subdomain cookie sharing, use lax SameSite
L1 servers now verify tokens by calling L2's /auth/verify endpoint, so L2 no longer needs to share cookies across subdomains. Each L1 sets its own first-party cookie via its /auth endpoint. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
gilesb
12
server.py
12
server.py
@@ -433,15 +433,14 @@ async def ui_login_submit(request: Request):
|
|||||||
<script>window.location.href = "/";</script>
|
<script>window.location.href = "/";</script>
|
||||||
''')
|
''')
|
||||||
|
|
||||||
# Always set cookie on L2 as well
|
# Set cookie for L2 only (L1 servers set their own cookies via /auth endpoint)
|
||||||
response.set_cookie(
|
response.set_cookie(
|
||||||
key="auth_token",
|
key="auth_token",
|
||||||
value=token.access_token,
|
value=token.access_token,
|
||||||
httponly=True,
|
httponly=True,
|
||||||
max_age=60 * 60 * 24 * 30, # 30 days
|
max_age=60 * 60 * 24 * 30, # 30 days
|
||||||
samesite="none",
|
samesite="lax",
|
||||||
domain=COOKIE_DOMAIN, # Share across subdomains
|
secure=True
|
||||||
secure=True # Required for cross-subdomain cookies
|
|
||||||
)
|
)
|
||||||
return response
|
return response
|
||||||
|
|
||||||
@@ -525,9 +524,8 @@ async def ui_register_submit(request: Request):
|
|||||||
value=token.access_token,
|
value=token.access_token,
|
||||||
httponly=True,
|
httponly=True,
|
||||||
max_age=60 * 60 * 24 * 30, # 30 days
|
max_age=60 * 60 * 24 * 30, # 30 days
|
||||||
samesite="none",
|
samesite="lax",
|
||||||
domain=COOKIE_DOMAIN, # Share across subdomains
|
secure=True
|
||||||
secure=True # Required for cross-subdomain cookies
|
|
||||||
)
|
)
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user