From c7618b8a65ab29720f20c65759159c850b3463b4 Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@sigyl.com>
Date: Mon, 23 Feb 2026 11:23:31 +0000
Subject: [PATCH] Set sso_hint cookie on login, clear on logout

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 bp/auth/routes.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/bp/auth/routes.py b/bp/auth/routes.py
index 0277f9c..68d01b8 100644
--- a/bp/auth/routes.py
+++ b/bp/auth/routes.py
@@ -196,11 +196,19 @@ def register(url_prefix="/auth"):
         qsession[SESSION_USER_KEY] = user_id
 
         redirect_url = pop_login_redirect_target()
-        return redirect(redirect_url, 303)
+        resp = redirect(redirect_url, 303)
+        resp.set_cookie(
+            "sso_hint", "1",
+            domain=".rose-ash.com", max_age=30 * 24 * 3600,
+            secure=True, samesite="Lax", httponly=True,
+        )
+        return resp
 
     @auth_bp.post("/logout/")
     async def logout():
         qsession.pop(SESSION_USER_KEY, None)
-        return redirect(federation_url("/"))
+        resp = redirect(federation_url("/"))
+        resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
+        return resp
 
     return auth_bp