Update oidc_session_no_samesite cookie to be Secure (#19079)

kieranlane · web-flow · commit 2f65b9e001ee · 2025-10-21T13:35:55.000+01:00
diff --git a/changelog.d/19079.bugfix b/changelog.d/19079.bugfix
@@ -0,0 +1 @@
+Fix the `oidc_session_no_samesite` cookie to have the `Secure` attribute, so the only difference between it and the paired `oidc_session` cookie, is the configuration of the `SameSite` attribute as described in the comments / cookie names. Contributed by @kieranlane.
diff --git a/synapse/handlers/oidc.py b/synapse/handlers/oidc.py
@@ -96,7 +96,7 @@
 # Here we have the names of the cookies, and the options we use to set them.
 _SESSION_COOKIES = [
     (b"oidc_session", b"HttpOnly; Secure; SameSite=None"),
-    (b"oidc_session_no_samesite", b"HttpOnly"),
+    (b"oidc_session_no_samesite", b"HttpOnly; Secure"),
 ]
 
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Fix the `oidc_session_no_samesite` cookie to have the `Secure` attribute, so the only difference between it and the paired `oidc_session` cookie, is the configuration of the `SameSite` attribute as described in the comments / cookie names. Contributed by @kieranlane.
Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@`
`96`	`96`	`# Here we have the names of the cookies, and the options we use to set them.`
`97`	`97`	`_SESSION_COOKIES = [`
`98`	`98`	`(b"oidc_session", b"HttpOnly; Secure; SameSite=None"),`
`99`		`- (b"oidc_session_no_samesite", b"HttpOnly"),`
	`99`	`+ (b"oidc_session_no_samesite", b"HttpOnly; Secure"),`
`100`	`100`	`]`
`101`	`101`
`102`	`102`