refactor(session-middleware): improve cookie handling and security settings

- Updated session middleware to use secure cookies in production environments.
- Adjusted sameSite attribute to "lax" for standard handling of same-origin requests.
- Removed unnecessary comments and streamlined cookie settings for clarity.

worklenz-backend/src/middlewares/session-middleware.ts

@@ -5,15 +5,12 @@ import { isProduction } from "../shared/utils";
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const pgSession = require("connect-pg-simple")(session);
 
-// For cross-origin requests, we need special cookie settings
-const isHttps = process.env.NODE_ENV === "production" || process.env.FORCE_HTTPS === "true";
-
 export default session({
   name: process.env.SESSION_NAME || "worklenz.sid",
   secret: process.env.SESSION_SECRET || "development-secret-key",
-  proxy: true, // Enable proxy support for proper session handling
+  proxy: true,
   resave: false,
-  saveUninitialized: false, // Changed to false to prevent unnecessary session creation
+  saveUninitialized: false,
   rolling: true,
   store: new pgSession({
     pool: db.pool,
@@ -21,10 +18,9 @@ export default session({
   }),
   cookie: {
     path: "/",
-    secure: isHttps, // Only secure in production with HTTPS
+    secure: isProduction(), // Use secure cookies in production
-    httpOnly: true, // Enable httpOnly for security
+    httpOnly: true,
-    sameSite: isHttps ? "none" : false, // Use "none" for HTTPS cross-origin, disable for HTTP
+    sameSite: "lax", // Standard setting for same-origin requests
-    domain: undefined, // Don't set domain for cross-origin requests
     maxAge: 30 * 24 * 60 * 60 * 1000 // 30 days
   }
 });