Skip to content

🍪 feat: Add Session Cookie Secure Override#13189

Merged
danny-avila merged 2 commits into
devfrom
danny-avila/fix-session-cookie-secure-override
May 19, 2026
Merged

🍪 feat: Add Session Cookie Secure Override#13189
danny-avila merged 2 commits into
devfrom
danny-avila/fix-session-cookie-secure-override

Conversation

@danny-avila

@danny-avila danny-avila commented May 19, 2026

Copy link
Copy Markdown
Owner

Closes #13188.

Summary

I added an explicit SESSION_COOKIE_SECURE override for LibreChat session and auth cookies so HTTP-only deployments can opt out of the Secure cookie flag when the production hostname heuristic would otherwise enable it.

  • Added SESSION_COOKIE_SECURE=true|false handling inside shouldUseSecureCookie() before the existing NODE_ENV and DOMAIN_SERVER heuristic runs.
  • Preserved the current default behavior when the override is unset or invalid, so production non-localhost deployments still use secure cookies by default.
  • Documented the override in .env.example, including guidance to set it to false only for HTTP-only deployments where browsers drop Secure cookies.
  • Added unit tests for explicit true, explicit false, normalized values, and invalid-value fallback.

The behavior that broke HTTP-only non-localhost OIDC deployments came from secure-cookie hardening in #11407, followed by the localhost-only bypass in #11518. That fixed local Docker over HTTP but still classified non-localhost HTTP endpoints as secure-cookie deployments, so browsers dropped the OIDC connect.sid cookie and later auth cookies.

Change Type

  • Bug fix (non-breaking change which fixes an issue)
  • Documentation update

Testing

  • Ran npm run smart-reinstall to install dependencies and build packages.
  • Ran cd packages/api && npx jest src/oauth/csrf.spec.ts --coverage=false --runInBand.

Test Configuration:

  • Node.js v20.19.5
  • npm 10.8.2
  • Targeted Jest suite: packages/api/src/oauth/csrf.spec.ts passes with 19 tests.

Checklist

  • My code adheres to this project's style guidelines
  • I have performed a self-review of my own code
  • I have made pertinent documentation changes
  • My changes do not introduce new warnings
  • I have written tests demonstrating that my changes are effective or that my feature works
  • Local unit tests pass with my changes

Copilot AI review requested due to automatic review settings May 19, 2026 10:52
@danny-avila danny-avila force-pushed the danny-avila/fix-session-cookie-secure-override branch from 8c06c54 to d3bc904 Compare May 19, 2026 10:53
Copilot AI reviewed May 19, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an explicit SESSION_COOKIE_SECURE environment override to shouldUseSecureCookie() so operators can force secure/non-secure cookie behavior regardless of the existing NODE_ENV + DOMAIN_SERVER heuristic (addressing HTTP-only deployments where browsers drop Secure cookies).

Changes:

  • Added SESSION_COOKIE_SECURE=true|false override handling in shouldUseSecureCookie() before the current heuristic.
  • Added Jest coverage for explicit true/false, normalization, and invalid-value fallback behavior.
  • Documented SESSION_COOKIE_SECURE in .env.example with guidance for HTTP-only deployments.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
packages/api/src/oauth/csrf.ts Adds SESSION_COOKIE_SECURE override parsing to the secure-cookie decision helper.
packages/api/src/oauth/csrf.spec.ts Adds unit tests covering the new override behavior and normalization/fallback.
.env.example Documents the new SESSION_COOKIE_SECURE override and intended usage.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/api/src/oauth/csrf.ts Outdated
Comment on lines 14 to 16
* Returns `true` in production unless the server is running on localhost (HTTP).
* This allows cookies to work on `http://localhost` during local development
* even when `NODE_ENV=production` (common in Docker Compose setups).
Comment thread packages/api/src/oauth/csrf.spec.ts
Comment on lines +32 to +37
it('should return true when SESSION_COOKIE_SECURE=true', () => {
process.env.NODE_ENV = 'development';
process.env.DOMAIN_SERVER = 'http://localhost:3080';
process.env.SESSION_COOKIE_SECURE = 'true';
expect(shouldUseSecureCookie()).toBe(true);
});
@danny-avila danny-avila force-pushed the danny-avila/fix-session-cookie-secure-override branch from d3bc904 to 1ad1522 Compare May 19, 2026 10:57
@danny-avila

danny-avila commented May 19, 2026

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector

chatgpt-codex-connector Bot commented May 19, 2026

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. What shall we delve into next?

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@github-actions

github-actions Bot commented May 19, 2026

Copy link
Copy Markdown
Contributor

GitNexus: 🚀 deployed

The LibreChat-pr-13189 index is now live on the MCP server.
Deploy run

@danny-avila danny-avila marked this pull request as ready for review May 19, 2026 12:58
@danny-avila danny-avila changed the title 🍪 fix: Add Session Cookie Secure Override 🍪 feat: Add Session Cookie Secure Override May 19, 2026
@danny-avila danny-avila changed the base branch from main to dev May 19, 2026 12:58
@danny-avila danny-avila force-pushed the danny-avila/fix-session-cookie-secure-override branch from 1ad1522 to fa930ee Compare May 19, 2026 13:00
@danny-avila

danny-avila commented May 19, 2026

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector

chatgpt-codex-connector Bot commented May 19, 2026

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. More of your lovely PRs please.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@github-actions

github-actions Bot commented May 19, 2026

Copy link
Copy Markdown
Contributor

GitNexus: 🚀 deployed

The LibreChat-pr-13189 index is now live on the MCP server.
Deploy run

@danny-avila danny-avila merged commit 909329a into dev May 19, 2026
3 checks passed
@danny-avila danny-avila deleted the danny-avila/fix-session-cookie-secure-override branch May 19, 2026 13:44
@danny-avila danny-avila mentioned this pull request May 19, 2026
Closed
1 task
patricia2510 pushed a commit to lexaeon-org/libre-chat that referenced this pull request May 21, 2026
@danny-avila
🍪 feat: Add Session Cookie Secure Override (danny-avila#13189)
950afba 
* fix: add session cookie secure override

* chore: remove empty whitespace
fuuuzzy pushed a commit to fuuuzzy/LibreChat that referenced this pull request May 22, 2026
@danny-avila @fuuuzzy
🍪 feat: Add Session Cookie Secure Override (danny-avila#13189)
7f71e48 
* fix: add session cookie secure override

* chore: remove empty whitespace
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@danny-avila