From e68f3c731e2ac340afa2f3c1af61392b2e14db5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Busso?=
 <90727999+agustinbusso@users.noreply.github.com>
Date: Mon, 30 Mar 2026 13:31:27 -0300
Subject: [PATCH] Add sameSite header to cookies using .env or by default set
 to lax

---
 .../Http/Controllers/Auth/LoginController.php        | 11 ++++++++---
 ProcessMaker/Http/Controllers/TaskController.php     | 12 +++++++++++-
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/ProcessMaker/Http/Controllers/Auth/LoginController.php b/ProcessMaker/Http/Controllers/Auth/LoginController.php
index 6be170ac5b..688522aea1 100644
--- a/ProcessMaker/Http/Controllers/Auth/LoginController.php
+++ b/ProcessMaker/Http/Controllers/Auth/LoginController.php
@@ -91,7 +91,7 @@ public function showLoginForm(Request $request)
                     true,
                     true,
                     false,
-                    'none'
+                    $this->sessionSameSite()
                 );
 
                 // Redirect to SSO and attach the cookie
@@ -111,7 +111,7 @@ public function showLoginForm(Request $request)
             true,
             true,
             false,
-            'none'
+            $this->sessionSameSite()
         );
         $loginView = empty(config('app.login_view')) ? 'auth.login' : config('app.login_view');
         $response = response(view($loginView, compact('addons', 'block')));
@@ -358,7 +358,7 @@ public function login(Request $request, User $user)
                     true,
                     true,
                     false,
-                    'none',
+                    $this->sessionSameSite(),
                 );
 
                 return redirect()->route('password.change');
@@ -406,4 +406,9 @@ private function setupLanguage(Request $request, User $user)
             $user->save();
         }
     }
+
+    private function sessionSameSite(): string
+    {
+        return config('session.same_site') ?: 'lax';
+    }
 }
diff --git a/ProcessMaker/Http/Controllers/TaskController.php b/ProcessMaker/Http/Controllers/TaskController.php
index 08bf2e510f..07d8d597a2 100755
--- a/ProcessMaker/Http/Controllers/TaskController.php
+++ b/ProcessMaker/Http/Controllers/TaskController.php
@@ -264,7 +264,17 @@ public function updateVariable(HttpRequest $request, $abe_uuid)
             // Review if the autentication is required
             if ($abe->require_login && Auth::user()->username === AnonymousUser::ANONYMOUS_USERNAME) {
                 $request->session()->put('url.intended', url()->full());
-                $cookie = cookie('processmaker_intended', url()->full(), 10, '/');
+                $cookie = cookie(
+                    'processmaker_intended',
+                    url()->full(),
+                    10,
+                    '/',
+                    null,
+                    true,
+                    true,
+                    false,
+                    config('session.same_site') ?: 'lax'
+                );
 
                 return redirect('login')->withCookie($cookie);
             }