From f2397e0a73557ed6a419426b6d9415359bf1bf79 Mon Sep 17 00:00:00 2001
From: gilesb <giles.bradshaw@sigyl.com>
Date: Fri, 9 Jan 2026 16:54:29 +0000
Subject: [PATCH] Fix cross-subdomain cookie for iOS Safari

Change SameSite from Lax to None to allow cookie to be sent
when navigating between L1 and L2 subdomains. iOS Safari's
Intelligent Tracking Prevention may block Lax cookies.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 server.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server.py b/server.py
index cc5430f..e199903 100644
--- a/server.py
+++ b/server.py
@@ -417,7 +417,7 @@ async def ui_login_submit(request: Request):
         value=token.access_token,
         httponly=True,
         max_age=60 * 60 * 24 * 30,  # 30 days
-        samesite="lax",
+        samesite="none",
         domain=COOKIE_DOMAIN,  # Share across subdomains
         secure=True  # Required for cross-subdomain cookies
     )
@@ -503,7 +503,7 @@ async def ui_register_submit(request: Request):
         value=token.access_token,
         httponly=True,
         max_age=60 * 60 * 24 * 30,  # 30 days
-        samesite="lax",
+        samesite="none",
         domain=COOKIE_DOMAIN,  # Share across subdomains
         secure=True  # Required for cross-subdomain cookies
     )