From 2ef8a1edd795005eff64db691614fe5e6ab6871d Mon Sep 17 00:00:00 2001
From: Ginger <ginger@gingershaped.computer>
Date: Thu, 30 Apr 2026 12:22:56 -0400
Subject: [PATCH] fix: Use SameSite=Lax for session cookie

---
 src/web/mod.rs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/web/mod.rs b/src/web/mod.rs
index 0015be3cb..b4cdbf6ae 100644
--- a/src/web/mod.rs
+++ b/src/web/mod.rs
@@ -10,7 +10,7 @@ use axum::{
 use conduwuit_service::{Services, state};
 use tower_http::{catch_panic::CatchPanicLayer, set_header::SetResponseHeaderLayer};
 use tower_sec_fetch::SecFetchLayer;
-use tower_sessions::{ExpiredDeletion, SessionManagerLayer};
+use tower_sessions::{ExpiredDeletion, SessionManagerLayer, cookie::SameSite};
 
 use crate::{
 	pages::TemplateContext,
@@ -134,7 +134,11 @@ pub fn build(services: &Services) -> Router<state::State> {
 				.merge(threepid::build())
 				.fallback(async || WebError::NotFound),
 		)
-		.layer(SessionManagerLayer::new(store).with_name("_c10y_session"))
+		.layer(
+			SessionManagerLayer::new(store)
+				.with_name("_c10y_session")
+				.with_same_site(SameSite::Lax),
+		)
 		.layer(CatchPanicLayer::custom(|panic: Box<dyn Any + Send + 'static>| {
 			let details = if let Some(s) = panic.downcast_ref::<String>() {
 				s.clone()