OKTA-1093560 - Insecure hardcoded cookie settings may lead to clear text session token transmission on Secure AI Agents Example

[iamspathan]

Approach

1. Environment-Based Configuration: Changed secure flag to read from COOKIE_SECURE environment variable, defaulting to true (secure).

2. Explicit Opt-Out for Development: Developers must explicitly set COOKIE_SECURE=false for local HTTP development.

3. Updated Example Files: Added COOKIE_SECURE=false to .env.app.example files so local development works out of the box.

Configuration Logic:

// Default: true (secure). Browsers reject secure cookies over HTTP.
// For local development without HTTPS, set COOKIE_SECURE=false in your .env file.
secure: process.env.COOKIE_SECURE !== 'false',

Files Changed

File	Change
packages/agent0/src/auth/okta-auth.ts	Cookie secure flag reads from COOKIE_SECURE env var, defaults to true
packages/todo0/src/app-server.ts	Cookie secure flag reads from COOKIE_SECURE env var, defaults to true
packages/agent0/.env.app.example	Added COOKIE_SECURE=false with explanatory comment
packages/todo0/.env.app.example	Added COOKIE_SECURE=false with explanatory comment

Verification

• Build passes for both packages
• Local development works when COOKIE_SECURE=false is set in .env.app
• Production deployments default to secure cookies without configuration