X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/5c7262673abc67571b90b18365202ccbff585897..refs/pull/3693/head:/app/Config/session.php

diff --git a/app/Config/session.php b/app/Config/session.php
index 37f1627bb..a00d75807 100644
--- a/app/Config/session.php
+++ b/app/Config/session.php
@@ -1,5 +1,7 @@
 <?php
 
+use Illuminate\Support\Str;
+
 /**
  * Session configuration options.
  *
@@ -57,7 +59,7 @@ return [
     // The session cookie path determines the path for which the cookie will
     // be regarded as available. Typically, this will be the root path of
     // your application but you are free to change this when necessary.
-    'path' => '/',
+    'path' => '/' . (explode('/', env('APP_URL', ''), 4)[3] ?? ''),
 
     // Session Cookie Domain
     // Here you may change the domain of the cookie used to identify a session
@@ -69,7 +71,8 @@ return [
     // By setting this option to true, session cookies will only be sent back
     // to the server if the browser has a HTTPS connection. This will keep
     // the cookie from being sent to you if it can not be done securely.
-    'secure' => env('SESSION_SECURE_COOKIE', false),
+    'secure' => env('SESSION_SECURE_COOKIE', null)
+        ?? Str::startsWith(env('APP_URL', ''), 'https:'),
 
     // HTTP Access Only
     // Setting this value to true will prevent JavaScript from accessing the
@@ -80,6 +83,6 @@ return [
     // This option determines how your cookies behave when cross-site requests
     // take place, and can be used to mitigate CSRF attacks. By default, we
     // do not enable this as other CSRF protection services are in place.
-    // Options: lax, strict
-    'same_site' => null,
+    // Options: lax, strict, none
+    'same_site' => 'lax',
 ];