fix: fix session cookie so login works behind Apache reverse proxy

- Change SameSite from "none" to "lax" — SameSite=None requires Secure=true
  which fails when Express cannot detect HTTPS behind Apache proxy
- Add trust proxy=1 so Express correctly reads X-Forwarded-Proto from Apache
- Same-site deployment (www.homelegance.com) never needed SameSite=None

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/_core/cookies.ts

@@ -39,10 +39,13 @@ export function getSessionCookieOptions(
   //       ? hostname
   //       : undefined;
 
+  const secure = isSecureRequest(req);
   return {
     httpOnly: true,
     path: "/",
-    sameSite: "none",
-    secure: isSecureRequest(req),
+    // SameSite=Lax is correct for same-site deployments (www.homelegance.com/chat/).
+    // SameSite=None would require Secure=true which fails behind Apache proxy without trust-proxy config.
+    sameSite: "lax",
+    secure,
   };
 }

server/_core/index.ts

@@ -30,6 +30,8 @@ async function findAvailablePort(startPort: number = 3000): Promise<number> {
 async function startServer() {
   const app = express();
   const server = createServer(app);
+  // Trust Apache reverse proxy so req.protocol reflects HTTPS correctly
+  app.set("trust proxy", 1);
   // Configure body parser with larger size limit for file uploads
   app.use(express.json({ limit: "50mb" }));
   app.use(express.urlencoded({ limit: "50mb", extended: true }));