fix: set samesite compatibility cookie as transient when the session is

If the session is transient then legacy cookies should also be transient. fixes #636
panva · Jan 25, 2020 · 1257164 · 1257164
1 parent e4b278d
commit 1257164
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/shared/session.js b/lib/shared/session.js
@@ -22,7 +22,7 @@ module.exports = async function sessionHandler(ctx, next) {
   } finally {
     const sessionCookieName = ctx.oidc.provider.cookieName('session');
     const stateCookieName = ctx.oidc.provider.cookieName('state');
-    const longRegexp = new RegExp(`^(${sessionCookieName}|${stateCookieName}\\.[^=]+)(?:\\.sig)?=`);
+    const longRegexp = new RegExp(`^(${sessionCookieName}|${stateCookieName}\\.[^=]+)(?:\\.legacy)?(?:\\.sig)?=`);
 
     // refresh the session duration
     if ((!ctx.oidc.session.new || ctx.oidc.session.touched) && !ctx.oidc.session.destroyed) {