From 286b48247ef143d77059ccb7e2fd2fd28698ee4f Mon Sep 17 00:00:00 2001
From: "Christoph K." <christoh@kroczek.eu>
Date: Tue, 7 Apr 2026 17:28:42 +0200
Subject: [PATCH] Fix session cookie: disable Secure flag for HTTP deployment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Secure: true requires HTTPS — cookie was not sent back on HTTP requests,
breaking the session after login.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/internal/api/webui.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/internal/api/webui.go b/backend/internal/api/webui.go
index a883d4c..f0862d2 100644
--- a/backend/internal/api/webui.go
+++ b/backend/internal/api/webui.go
@@ -106,7 +106,7 @@ func (ui *WebUI) HandlePostLogin(w http.ResponseWriter, r *http.Request) {
 		Value:    sess.SessionID,
 		Path:     "/",
 		HttpOnly: true,
-		Secure:   true,
+		Secure:   false,
 		SameSite: http.SameSiteLaxMode,
 		Expires:  sess.ExpiresAt,
 	})