Skip to content

feat(sdk): cookie secure option for local HTTP dev#11

Merged
jaredLunde merged 1 commit into
mainfrom
fix/cookie-secure-option
Jun 21, 2026
Merged

feat(sdk): cookie secure option for local HTTP dev#11
jaredLunde merged 1 commit into
mainfrom
fix/cookie-secure-option

Conversation

@jaredLunde

@jaredLunde jaredLunde commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

sessionCookieAttrs/clearCookieAttrs hardcoded Secure + __Host-/__Secure-, which require HTTPS and so drop on http://localhost (notably Safari). Add a secure option (default true): when false, emit a plain session cookie (no prefix, not Secure) for local dev; getSessionToken reads it after the hardened cookies. Production stays __Host-/Secure by default. Unit-verified. 🤖 Generated with Claude Code

@jaredLunde @claude
feat(sdk): cookie secure option for local HTTP dev
e6353e4 
sessionCookieAttrs/clearCookieAttrs gain a `secure` option (default true).
When `secure: false`, emit a plain `session` cookie (no `__Host-`/`__Secure-`
prefix, not `Secure`) so sessions work over http://localhost in every browser
(prefixes + Secure require HTTPS). getSessionToken reads the plain cookie too,
after the hardened ones. Secure + `__Host-` remains the default for production.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jaredLunde jaredLunde merged commit 5516345 into main Jun 21, 2026
6 checks passed
@jaredLunde jaredLunde deleted the fix/cookie-secure-option branch June 21, 2026 18:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jaredLunde