localhost is also a secure origin by browsers

segevfiner · web-flow · commit 43045298a5de · 2025-08-07T17:35:20.000+03:00
Also partitioned cookies are only allowed with secure, so in `secure: 'auto'` also set partitioned to false
diff --git a/lib/cookie.js b/lib/cookie.js
@@ -25,10 +25,11 @@ module.exports = class Cookie {
     }
 
     if (this.secure === 'auto') {
-      if (request.protocol === 'https') {
+      if (request.protocol === 'https' || request.hostname === 'localhost') {
         this.secure = true
       } else {
         this.sameSite = 'lax'
+        this.partitioned = false
         this.secure = false
       }
     }
diff --git a/lib/fastifySession.js b/lib/fastifySession.js
@@ -166,7 +166,7 @@ function fastifySession (fastify, options, next) {
 
       const cookieSessionId = getCookieSessionId(request)
       const saveSession = shouldSaveSession(request, cookieSessionId, saveUninitializedSession, rollingSessions)
-      const isInsecureConnection = cookieOpts.secure === true && request.protocol !== 'https'
+      const isInsecureConnection = cookieOpts.secure === true && request.protocol !== 'https' && request.hostname !== 'localhost'
       const sessionIdWithPrefix = hasCookiePrefix ? `${cookiePrefix}${session.encryptedSessionId}` : session.encryptedSessionId
       if (!saveSession || isInsecureConnection) {
         // if a session cookie is set, but has a different ID, clear it

Original file line number	Diff line number	Diff line change
`@@ -25,10 +25,11 @@ module.exports = class Cookie {`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`if (this.secure === 'auto') {`
`28`		`- if (request.protocol === 'https') {`
	`28`	`+ if (request.protocol === 'https' \|\| request.hostname === 'localhost') {`
`29`	`29`	`this.secure = true`
`30`	`30`	`} else {`
`31`	`31`	`this.sameSite = 'lax'`
	`32`	`+ this.partitioned = false`
`32`	`33`	`this.secure = false`
`33`	`34`	`}`
`34`	`35`	`}`