fix:auth CSRF

2025-09-27 11:43:58 +02:00
parent 7e4570cf0e
commit 88a7e74c78
6 changed files with 147 additions and 6 deletions
--- a/src/lib/server/auth.ts
+++ b/src/lib/server/auth.ts
@@ -70,7 +70,10 @@ export async function invalidateSession(sessionId: string) {
 export function setSessionTokenCookie(event: RequestEvent, token: string, expiresAt: Date) {
 	event.cookies.set(sessionCookieName, token, {
 		expires: expiresAt,
-		path: '/'
+		path: '/',
+		httpOnly: true,
+		secure: false, // Allow HTTP in development
+		sameSite: 'lax'
 	});
 }