From cfa0af24aeb99cfaee0028b1250cb0d91f3bd397 Mon Sep 17 00:00:00 2001
From: chamikaJ <chamika@ceydigital.com>
Date: Mon, 2 Jun 2025 13:29:05 +0530
Subject: [PATCH] refactor(session-middleware): improve cookie handling and
 security settings

- Updated session middleware to use secure cookies in production environments.
- Adjusted sameSite attribute to "lax" for standard handling of same-origin requests.
- Removed unnecessary comments and streamlined cookie settings for clarity.
---
 .../src/middlewares/session-middleware.ts          | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/worklenz-backend/src/middlewares/session-middleware.ts b/worklenz-backend/src/middlewares/session-middleware.ts
index a0452bee..fea60018 100644
--- a/worklenz-backend/src/middlewares/session-middleware.ts
+++ b/worklenz-backend/src/middlewares/session-middleware.ts
@@ -5,15 +5,12 @@ import { isProduction } from "../shared/utils";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const pgSession = require("connect-pg-simple")(session);
 
-// For cross-origin requests, we need special cookie settings
-const isHttps = process.env.NODE_ENV === "production" || process.env.FORCE_HTTPS === "true";
-
 export default session({
   name: process.env.SESSION_NAME || "worklenz.sid",
   secret: process.env.SESSION_SECRET || "development-secret-key",
-  proxy: true, // Enable proxy support for proper session handling
+  proxy: true,
   resave: false,
-  saveUninitialized: false, // Changed to false to prevent unnecessary session creation
+  saveUninitialized: false,
   rolling: true,
   store: new pgSession({
     pool: db.pool,
@@ -21,10 +18,9 @@ export default session({
   }),
   cookie: {
     path: "/",
-    secure: isHttps, // Only secure in production with HTTPS
-    httpOnly: true, // Enable httpOnly for security
-    sameSite: isHttps ? "none" : false, // Use "none" for HTTPS cross-origin, disable for HTTP
-    domain: undefined, // Don't set domain for cross-origin requests
+    secure: isProduction(), // Use secure cookies in production
+    httpOnly: true,
+    sameSite: "lax", // Standard setting for same-origin requests
     maxAge: 30 * 24 * 60 * 60 * 1000 // 30 days
   }
 });
\ No newline at end of file