From c21f28a4d67dbf701e93d4f5d10018fc360e8fa7 Mon Sep 17 00:00:00 2001
From: Serreau Jovann <jovann@siteconseil.fr>
Date: Fri, 20 Mar 2026 10:00:34 +0100
Subject: [PATCH] fix: use auto cookie_secure to fix SSO invalid state
 parameter

The session cookie was not sent back on HTTP requests because
cookie_secure was hardcoded to true, causing OAuth2 state mismatch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 config/packages/framework.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
index 3669172..8274d86 100644
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -10,7 +10,7 @@ framework:
     session:
         name: crm_session
         cookie_lifetime: 3600
-        cookie_secure: true
+        cookie_secure: auto
 
     #esi: true
     #fragments: true