From d85fbf9f0134baae6d58f25dcd0f10944437f8e3 Mon Sep 17 00:00:00 2001
From: Jake Fink <jfink@bitwarden.com>
Date: Tue, 9 Jul 2024 08:51:56 -0400
Subject: [PATCH] only use Secure cookies if on a https connection (#4472)

---
 src/Identity/Startup.cs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/Identity/Startup.cs b/src/Identity/Startup.cs
index 61d3d291d3..65c303e750 100644
--- a/src/Identity/Startup.cs
+++ b/src/Identity/Startup.cs
@@ -108,6 +108,10 @@ public class Startup
                 options.SaveTokens = false;
                 options.GetClaimsFromUserInfoEndpoint = true;
 
+                // Some browsers (safari) won't allow Secure cookies to be set on a http connection
+                options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
+                options.NonceCookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
+
                 options.Events = new Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents
                 {
                     OnRedirectToIdentityProvider = context =>