gilesb e5d1c93034 Remove cross-subdomain cookie sharing, use lax SameSite ...

L1 servers now verify tokens by calling L2's /auth/verify endpoint,
so L2 no longer needs to share cookies across subdomains. Each L1
sets its own first-party cookie via its /auth endpoint.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-09 17:40:14 +00:00

121 KiB

Raw Blame History

View Raw