From e6ba19fe8ec6860c954bc5f84613826e69235f5d Mon Sep 17 00:00:00 2001
From: Nova <nova@vm42.us>
Date: Wed, 25 Feb 2026 03:48:04 +0000
Subject: [PATCH] Fix: Session cookie secure=false for HTTP support

In production with HTTP, secure cookies are rejected by browsers.
Allow HTTP until behind proper HTTPS proxy.
---
 server/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/index.js b/server/index.js
index e4610ae..2661283 100644
--- a/server/index.js
+++ b/server/index.js
@@ -61,7 +61,7 @@ app.use(session({
   resave: false,
   saveUninitialized: false,
   cookie: {
-    secure: process.env.NODE_ENV === 'production',
+    secure: false, // Allow HTTP (set to true only behind HTTPS proxy)
     maxAge: CONFIG.sessionMaxAge
   }
 }));