feat(handler/login): remove legacy cookie

We don't really need to set an additional cookie without SameSite as we now use SameSite=Lax for the login cookie.
2026-05-06 00:17:27 +00:00 · 2023-12-18 08:32:59 +01:00
parent 083cb54df7
commit e00832016b
7 changed files with 3 additions and 39 deletions
--- a/pkg/handler/handler.go
+++ b/pkg/handler/handler.go
@@ -178,14 +178,10 @@ func (s *Standalone) LoginCallback(w http.ResponseWriter, r *http.Request) {

 	// unconditionally clear login cookies
 	cookie.Clear(w, cookie.Login, opts.WithSameSite(http.SameSiteLaxMode))
-	cookie.Clear(w, cookie.LoginLegacy, opts.WithSameSite(http.SameSiteDefaultMode))

 	loginCookie, err := openid.GetLoginCookie(r, s.Crypter)
 	if err != nil {
-		msg := "callback: fetching login cookie"
-		if errors.Is(err, http.ErrNoCookie) {
-			msg += ": fallback cookie not found (user might have blocked all cookies, or the callback route was accessed before the login route)"
-		}
+		msg := "callback: fetching login cookie (user might have blocked all cookies, or the callback route was accessed before the login route)"
 		s.Unauthorized(w, r, fmt.Errorf("%s: %w", msg, err))
 		return
 	}