From dde83a24171cef550ad9ee9c25e11c9b2992db8a Mon Sep 17 00:00:00 2001
From: Space-Banane <paulwaehner923@gmail.com>
Date: Wed, 20 May 2026 21:53:51 +0200
Subject: [PATCH] Make session cookie security configurable

---
 README.md       |  5 +++++
 backend/main.py | 11 ++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 171e718..30fb4a9 100644
--- a/README.md
+++ b/README.md
@@ -32,6 +32,11 @@ docker compose up --build
 
 The app expects a MariaDB instance configured through environment variables.
 
+### Session and Cookie Env Vars
+
+- `SESSION_TTL_SECONDS` (default: `86400`)
+- `SESSION_COOKIE_SECURE` (default: `false`, set `true` in production HTTPS)
+
 ## Gitea CI/CD
 
 Add these secrets in Gitea:
diff --git a/backend/main.py b/backend/main.py
index 297711c..606dc8a 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -19,6 +19,7 @@ STATIC_DIR = Path("frontend/dist")
 PUBLIC_DIR = Path("public")
 SESSION_COOKIE = "jellomator_session"
 SESSION_TTL_SECONDS = int(os.getenv("SESSION_TTL_SECONDS", "86400"))
+SESSION_COOKIE_SECURE = os.getenv("SESSION_COOKIE_SECURE", "false").lower() in ("1", "true", "yes", "on")
 DB_HOST = os.getenv("DB_HOST", "mariadb")
 DB_PORT = int(os.getenv("DB_PORT", "3306"))
 DB_USER = os.getenv("DB_USER", "jellomator")
@@ -222,7 +223,15 @@ def login(inp: LoginIn):
                 (token, row["id"], now, expires_at_iso(), now),
             )
     response = JSONResponse({"ok": True})
-    response.set_cookie(SESSION_COOKIE, token, httponly=True, samesite="lax", secure=False, path="/")
+    response.set_cookie(
+        SESSION_COOKIE,
+        token,
+        httponly=True,
+        samesite="lax",
+        secure=SESSION_COOKIE_SECURE,
+        max_age=SESSION_TTL_SECONDS,
+        path="/",
+    )
     return response