From b0d6595046d65d80a8fc3f6bc0fbc1bbff8107be Mon Sep 17 00:00:00 2001
From: Nishthajain7 <jnishtha305@gmail.com>
Date: Wed, 25 Feb 2026 20:47:23 +0530
Subject: [PATCH] Session cookie is secured only in production

---
 server/server.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/server.js b/server/server.js
index 7e2f362f1a..78c20d7dc6 100644
--- a/server/server.js
+++ b/server/server.js
@@ -82,6 +82,8 @@ mongoose.connect(mongoConnectionString, {
   socketTimeoutMS: 45000 // 45 seconds timeout
 });
 
+const isProduction = process.env.NODE_ENV === 'production';
+
 app.use(
   session({
     resave: true,
@@ -91,7 +93,7 @@ app.use(
     name: 'sessionId',
     cookie: {
       httpOnly: true,
-      secure: false,
+      secure: isProduction,
       maxAge: 1000 * 60 * 60 * 24 * 28 // 4 weeks in milliseconds
     },
     store: MongoStore.create({