authsmith · chrisAlwinYS · Nov 26, 2025
diff --git a/src/core/protocols/oauth/oauth_authentication.ts b/src/core/protocols/oauth/oauth_authentication.ts
@@ -1,5 +1,10 @@
 import * as jose from "jose"
-import type { JsonObject, PayloadRequest, TypeWithID } from "payload"
+import type {
+  JsonObject,
+  PayloadRequest,
+  SanitizedCollectionConfig,
+  TypeWithID,
+} from "payload"
 import { APP_COOKIE_SUFFIX } from "../../../constants.js"
 import {
   MissingCollection,
@@ -153,6 +158,7 @@ export async function OAuthAuthentication(
         collection: collections.usersCollection,
       },
       useAdmin ? collectionConfig?.auth.tokenExpiration : undefined,
+      collectionConfig.auth as SanitizedCollectionConfig["auth"] || false,
     )),
   ]
   cookies = invalidateOAuthCookies(cookies)

diff --git a/src/core/utils/cookies.ts b/src/core/utils/cookies.ts
@@ -1,13 +1,18 @@
 import * as jwt from "jose"
-import { getCookieExpiration } from "payload"
+import {
+  getCookieExpiration,
+  generateCookie,
+} from "payload"
+import type { SanitizedCollectionConfig } from "payload"
 
 export async function createSessionCookies(
   name: string,
   secret: string,
   fieldsToSign: Record<string, unknown>,
   expiration?: number,
+  collectionAuthConfig?: SanitizedCollectionConfig["auth"] | false,
 ) {
-  const tokenExpiration =
+  const tokenExpiration: number =
     expiration ??
     getCookieExpiration({
       seconds: 7200,
@@ -23,9 +28,29 @@ export async function createSessionCookies(
     .sign(secretKey)
 
   const cookies: string[] = []
-  cookies.push(
-    `${name}=${token};Path=/;HttpOnly;SameSite=lax;Expires=${getCookieExpiration({ seconds: expiration! }).toUTCString()}`,
-  )
+
+  if (collectionAuthConfig) {
+    const sameSite = typeof collectionAuthConfig.cookies.sameSite === 'string' ? collectionAuthConfig.cookies.sameSite : collectionAuthConfig.cookies.sameSite ? 'Strict' : undefined;
+    const cookie =  generateCookie({
+      name: name,
+      domain: collectionAuthConfig.cookies.domain ?? undefined,
+      expires: getCookieExpiration({ seconds: expiration! }),
+      httpOnly: true,
+      path: '/',
+      returnCookieAsObject: false,
+      sameSite,
+      secure: collectionAuthConfig.cookies.secure,
+      value: token
+    }) as string;
+
+    cookies.push(cookie);
+
+  } else {
+    cookies.push(
+      `${name}=${token};Path=/;HttpOnly;SameSite=lax;Expires=${getCookieExpiration({ seconds: expiration! }).toUTCString()}`,
+    )
+  }
+
   return cookies
 }