You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: docs/getting-started/advanced-topics/env-configuration.md
+40
Original file line number
Diff line number
Diff line change
@@ -597,12 +597,52 @@ requests initiated by third-party websites, but only over HTTPS.
597
597
- Default: `lax`
598
598
- Description: Sets the `SameSite` attribute for session cookies.
599
599
600
+
:::warning
601
+
602
+
When `ENABLE_OAUTH_SIGNUP` is enabled, setting `WEBUI_SESSION_COOKIE_SAME_SITE` to `strict` can cause login failures. This is because Open WebUI uses a session cookie to validate the callback from the OAuth provider, which helps prevent CSRF attacks.
603
+
604
+
However, a `strict` session cookie is not sent with the callback request, leading to potential login issues. If you experience this problem, use the default `lax` value instead.
605
+
606
+
:::
607
+
600
608
#### `WEBUI_SESSION_COOKIE_SECURE`
601
609
602
610
- Type: `bool`
603
611
- Default: `False`
604
612
- Description: Sets the `Secure` attribute for session cookies if set to `True`.
605
613
614
+
#### `WEBUI_AUTH_COOKIE_SAME_SITE`
615
+
616
+
- Type: `str` (enum: `lax`, `strict`, `none`)
617
+
- Options:
618
+
-`lax` - Sets the `SameSite` attribute to lax, allowing auth cookies to be sent with
619
+
requests initiated by third-party websites.
620
+
-`strict` - Sets the `SameSite` attribute to strict, blocking auth cookies from being sent
621
+
with requests initiated by third-party websites.
622
+
-`none` - Sets the `SameSite` attribute to none, allowing auth cookies to be sent with
623
+
requests initiated by third-party websites, but only over HTTPS.
624
+
- Default: `lax`
625
+
- Description: Sets the `SameSite` attribute for auth cookies.
626
+
627
+
:::info
628
+
629
+
If the value is not set, `WEBUI_SESSION_COOKIE_SAME_SITE` will be used as a fallback.
630
+
631
+
:::
632
+
633
+
#### `WEBUI_AUTH_COOKIE_SECURE`
634
+
635
+
- Type: `bool`
636
+
- Default: `False`
637
+
- Description: Sets the `Secure` attribute for auth cookies if set to `True`.
638
+
639
+
:::info
640
+
641
+
If the value is not set, `WEBUI_SESSION_COOKIE_SECURE` will be used as a fallback.
0 commit comments