Skip to content

fix(session-cookie): update secure cookie handling to prevent issues in local deployments #307

Closed
polaris-dxz wants to merge 2 commits intobuilderz-labs:mainfrom
polaris-dxz:fix/session-cookie-http-login
Closed

fix(session-cookie): update secure cookie handling to prevent issues in local deployments #307
polaris-dxz wants to merge 2 commits intobuilderz-labs:mainfrom
polaris-dxz:fix/session-cookie-http-login

Conversation

@polaris-dxz
Copy link

@polaris-dxz polaris-dxz commented Mar 12, 2026

Summary

When running Mission Control with pnpm start or bash install.sh --local (production build over HTTP), login returns 200 but the user stays on the login page. The session cookie was being set with Secure because we defaulted to secure = true when NODE_ENV === 'production'. Browsers do not store or send Secure cookies over HTTP, so the cookie was never persisted and the middleware redirected back to /login.

Change: In getMcSessionCookieOptions (src/lib/session-cookie.ts), stop using NODE_ENV === 'production' to set the cookie secure flag. Use only (1) explicit MC_COOKIE_SECURE env, or (2) actual request security (x-forwarded-proto: https or https:). Default to false so HTTP-only local deployments work without extra config. HTTPS deployments and reverse-proxy setups are unchanged when the request is seen as secure or when MC_COOKIE_SECURE=true is set.

Risk Level

Low

Tests

  • pnpm build && pnpm start — opened http://localhost:3000/login, logged in with admin credentials; redirect to / and session persisted (no redirect back to login).
  • pnpm dev — login still works as before.
  • Verified login response Set-Cookie no longer includes Secure when request is HTTP; cookie is mc-session with HttpOnly; SameSite=strict only.

Contribution Checklist

  • Tests added/updated for behavior changes
  • Lint/typecheck/build passing
  • Security review done if auth/data/crypto touched
  • DB migration tested if schema changed

Notes

  • No DB or schema changes.
  • For production over HTTPS (or behind a TLS proxy that sets x-forwarded-proto: https), secure remains true and behavior is unchanged. Operators who want to force Secure on HTTP (e.g. for testing) can set MC_COOKIE_SECURE=true.

@polaris-dxz
fix(session-cookie): update secure cookie handling to prevent issues …
aabaf7d 
…in local deployments

- Adjusted the logic for determining the 'secure' flag in getMcSessionCookieOptions to prioritize explicit environment overrides and request security, while removing the fallback to NODE_ENV. This change addresses potential issues with HTTP-only local deployments where browsers may drop 'Secure' cookies.
@polaris-dxz polaris-dxz requested a review from 0xNyk as a code owner March 12, 2026 15:18
@0xNyk
Copy link
Member

0xNyk commented Mar 13, 2026

Thanks for the contribution @polaris-dxz! This fix was already merged in eddfd75 (#304) — the NODE_ENV fallback was removed from getMcSessionCookieOptions so secure now derives only from MC_COOKIE_SECURE or the actual request protocol.

Your PR adds explanatory comments to the same line but the functional change is already in main. Closing as superseded — thanks again for catching this independently!

@0xNyk 0xNyk closed this Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0xNyk 0xNyk Awaiting requested review from 0xNyk 0xNyk is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@polaris-dxz @0xNyk