Fix cookie not accepted in safari

2026-03-17 16:57:51 -03:00
parent 72088dba9a
commit d6d0735ff8
6 changed files with 218 additions and 46 deletions
--- a/.env.example
+++ b/.env.example
@@ -27,6 +27,8 @@ AUTH_LOGIN_FAILURE_WINDOW_SECONDS=900
 AUTH_LOGIN_LOCKOUT_BASE_SECONDS=30
 AUTH_LOGIN_LOCKOUT_MAX_SECONDS=900
 # Optional cookie controls for split frontend/api hosts:
+# Leave AUTH_COOKIE_DOMAIN empty unless you explicitly need a parent-domain CSRF cookie mirror.
+# Host-only auth cookies are issued automatically for the API host.
 # AUTH_COOKIE_DOMAIN=docs.lan
 # AUTH_COOKIE_SAMESITE=auto