From 4c19694c4c9e806b38900b6da3e7260162c798fa Mon Sep 17 00:00:00 2001
From: Sasha Koshka <sashakoshka@tebibyte.media>
Date: Thu, 27 Mar 2025 18:29:15 -0400
Subject: [PATCH] providers/session: Add a comment about what __Host- means

---
 providers/session/session.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/providers/session/session.go b/providers/session/session.go
index 00bc212..968aa16 100644
--- a/providers/session/session.go
+++ b/providers/session/session.go
@@ -10,8 +10,13 @@ import "git.tebibyte.media/sashakoshka/go-util/sync"
 import "git.tebibyte.media/sashakoshka/go-util/container"
 import shttp "git.tebibyte.media/sashakoshka/step/http"
 
-const sessionIDCookieName = "step-session-id"
+// https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie
+// __Host- prefix: Cookies with names starting with __Host- are sent only to the
+// host subdomain or domain that set them, and not to any other host. They must
+// be set with the secure flag must be from a secure page (HTTPS), must not have
+// a domain specified, and the path must be /
 const secureSessionIDCookieName = "__Host-step-session-id"
+const sessionIDCookieName = "step-session-id"
 const defaultLifetime = 48 * time.Hour
 
 var _ step.FuncProviderFor = new(Provider)