fix: make session store respect insecure cookies setting (resolve #855)

config/config.go

@@ -557,10 +557,13 @@ func Load(configFlag string, version string) *Config {
 	sessionKey := securecookie.GenerateRandomKey(32)
 
 	if IsDev(env) {
-		slog.Warn("using temporary keys to sign and encrypt cookies in dev mode, make sure to set env to production for real-world use")
+		slog.Warn("⚠️ using temporary keys to sign and encrypt cookies in dev mode, make sure to set env to production for real-world use")
 		hashKey, blockKey = getTemporarySecureKeys()
 		blockKey = hashKey
 	}
+	if config.Security.InsecureCookies {
+		slog.Warn("⚠️ it is strongly advised NOT to use insecure cookies, are you sure about this setting?")
+	}
 
 	config.Security.SecureCookie = securecookie.New(hashKey, blockKey)
 	config.Security.SessionKey = sessionKey

config/session.go

@@ -1,6 +1,8 @@
 package config
 
 import (
+	"net/http"
+
 	"github.com/gorilla/sessions"
 )
 
@@ -9,10 +11,17 @@ import (
 var sessionStore *sessions.CookieStore
 
 func NewSessionStore() *sessions.CookieStore {
-	return sessions.NewCookieStore(
+	store := sessions.NewCookieStore(
 		Get().Security.SessionKey,
 		Get().Security.SessionKey,
 	)
+
+	if Get().Security.InsecureCookies {
+		store.Options.SameSite = http.SameSiteStrictMode
+		store.Options.Secure = false
+	}
+
+	return store
 }
 
 func GetSessionStore() *sessions.CookieStore {