🍪 feat: Configurable Secure Cookie Behavior (#25)

* add configurable secure cookie env

* Update .env.example

Author: XHyperDEVX

.env.example

@@ -19,6 +19,10 @@ SESSION_SECRET=
 # Session idle timeout in milliseconds (default: 30 minutes)
 # ADMIN_SESSION_IDLE_TIMEOUT_MS=1800000
 
+# Whether the session cookie should only be sent over HTTPS.
+# Defaults to true in production, false otherwise.
+# SESSION_COOKIE_SECURE=true
+
 # ── Cache Control ────────────────────────────────────────────
 # These mirror LibreChat's cache env vars. ADMIN_PANEL_* variants
 # take precedence, falling back to the shared LibreChat equivalents.

src/server/session.ts

@@ -10,6 +10,11 @@ const envIdleTimeout = Number(process.env.ADMIN_SESSION_IDLE_TIMEOUT_MS);
 const effectiveIdleTimeout =
   Number.isFinite(envIdleTimeout) && envIdleTimeout > 0 ? envIdleTimeout : DEFAULT_IDLE_TIMEOUT_MS;
 
+const sessionCookieSecure =
+  process.env.SESSION_COOKIE_SECURE !== undefined
+    ? process.env.SESSION_COOKIE_SECURE === 'true'
+    : process.env.NODE_ENV === 'production';
+
 export const SESSION_CONFIG = {
   revalidationInterval: REVALIDATION_INTERVAL_MS,
   idleTimeout: effectiveIdleTimeout,
@@ -33,7 +38,7 @@ export function useAppSession(): ReturnType<typeof useSession<t.SessionData>> {
     name: 'admin-session',
     password: sessionSecret || '',
     cookie: {
-      secure: process.env.NODE_ENV === 'production',
+      secure: sessionCookieSecure,
       sameSite: 'lax',
       httpOnly: true,
       maxAge: 60 * 60 * 24 * 7,