From 2667ec98fa28afd3473e0b6fa1462cbc69abd9c3 Mon Sep 17 00:00:00 2001
From: Michael Thomas <michaelhthomas@outlook.com>
Date: Fri, 27 Mar 2026 13:10:55 -0400
Subject: [PATCH] fix: explicitly set sameSite: strict for OIDC correlation
 cookies

---
 server/routes/auth.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/routes/auth.ts b/server/routes/auth.ts
index 657e37448..48db8e0fb 100644
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -708,6 +708,7 @@ authRoutes.get('/oidc/login/:slug', async (req, res, next) => {
     httpOnly: true,
     secure: req.protocol === 'https',
     signed: true,
+    sameSite: 'strict',
   });
 
   const callbackUrl = getOidcRedirectUrl(req);
@@ -726,6 +727,7 @@ authRoutes.get('/oidc/login/:slug', async (req, res, next) => {
     httpOnly: true,
     secure: req.protocol === 'https',
     signed: true,
+    sameSite: 'strict',
   });
 
   let redirectUrl: URL;