From 003844c7cdec94fef187b025fa6894679916f736 Mon Sep 17 00:00:00 2001
From: Chris Veleris <chrisveleris@gmail.com>
Date: Mon, 13 Apr 2026 13:22:09 +0300
Subject: [PATCH] fix: add COOKIE_SECURE environment variable to control cookie
 security

Allows cookies to work over HTTP even in production mode by setting
COOKIE_SECURE=false. This is needed for local Docker deployments that
use HTTP instead of HTTPS.

When COOKIE_SECURE=false, the secure flag is disabled on cookies.
When COOKIE_SECURE is not set or set to any other value, it defaults
to the production mode behavior (secure cookies in production).
---
 backend/app.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/app.js b/backend/app.js
index a91bb9d..bd36460 100644
--- a/backend/app.js
+++ b/backend/app.js
@@ -85,7 +85,7 @@ const sessionMiddleware = session({
     saveUninitialized: false,
     cookie: {
         httpOnly: true,
-        secure: config.production,
+        secure: process.env.COOKIE_SECURE !== 'false' && config.production,
         maxAge: 2592000000, // 30 days
         sameSite: 'lax',
     },