Make session cookie security configurable

README.md

@@ -32,6 +32,11 @@ docker compose up --build
 
 The app expects a MariaDB instance configured through environment variables.
 
+### Session and Cookie Env Vars
+
+- `SESSION_TTL_SECONDS` (default: `86400`)
+- `SESSION_COOKIE_SECURE` (default: `false`, set `true` in production HTTPS)
+
 ## Gitea CI/CD
 
 Add these secrets in Gitea:

backend/main.py

@@ -19,6 +19,7 @@ STATIC_DIR = Path("frontend/dist")
 PUBLIC_DIR = Path("public")
 SESSION_COOKIE = "jellomator_session"
 SESSION_TTL_SECONDS = int(os.getenv("SESSION_TTL_SECONDS", "86400"))
+SESSION_COOKIE_SECURE = os.getenv("SESSION_COOKIE_SECURE", "false").lower() in ("1", "true", "yes", "on")
 DB_HOST = os.getenv("DB_HOST", "mariadb")
 DB_PORT = int(os.getenv("DB_PORT", "3306"))
 DB_USER = os.getenv("DB_USER", "jellomator")
@@ -222,7 +223,15 @@ def login(inp: LoginIn):
                 (token, row["id"], now, expires_at_iso(), now),
             )
     response = JSONResponse({"ok": True})
-    response.set_cookie(SESSION_COOKIE, token, httponly=True, samesite="lax", secure=False, path="/")
+    response.set_cookie(
+        SESSION_COOKIE,
+        token,
+        httponly=True,
+        samesite="lax",
+        secure=SESSION_COOKIE_SECURE,
+        max_age=SESSION_TTL_SECONDS,
+        path="/",
+    )
     return response