From 654c39ff1e7c1f65ce1757656ea95006e1d05809 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 7 May 2026 07:53:51 +0000
Subject: [PATCH] fix: change session cookie SameSite from Strict to Lax to fix
 cross-site getlogin flow

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/acf6148d-63c7-4ee2-a856-6de7de68118d

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
---
 php/public/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php/public/index.php b/php/public/index.php
index eb2a7878..4c64ab31 100644
--- a/php/public/index.php
+++ b/php/public/index.php
@@ -68,7 +68,7 @@ session_start([
     "use_strict_mode" => true, // Only allow initialized session IDs. See https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
     "cookie_secure" => true, // Only send cookies over https (not http). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#secure
     "cookie_httponly" => true, // Block the cookie from being read with js in the browser, will still be send for fetch request triggered by js. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly
-    "cookie_samesite" => "Strict", // Only send the cookie with requests triggered by AIO itself. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
+    "cookie_samesite" => "Lax", // Send the cookie with same-site requests and top-level cross-site navigations (e.g. redirect after token-based getlogin). "Strict" would block the session cookie on the redirect that follows a cross-site navigation, breaking the getlogin flow from Nextcloud's admin panel. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
 ]);
 
 if ($wasAuthenticated) {