Ensure that the cookies sent by the OLD have the secure attribute set by default. This can still be disabled by setting the env var 'OLD_SESSION_SECURE' to 'false', or by modifying config.ini directly.
Rationale
Modern browsers now require HTTPS to be used and the secure flag enabled in order to use samesite=None, which is what Dative/OLD does because we want to allow cross-origin requests that are authorized via cookie sessions.
Ensure that the cookies sent by the OLD have the secure attribute set by default. This can still be disabled by setting the env var 'OLD_SESSION_SECURE' to
'false'
, or by modifyingconfig.ini
directly.Rationale
Modern browsers now require HTTPS to be used and the
secure
flag enabled in order to usesamesite=None
, which is what Dative/OLD does because we want to allow cross-origin requests that are authorized via cookie sessions.