From d14c67b1bd89a107ff82192bebed9bed54c3a1ed Mon Sep 17 00:00:00 2001
From: Ivar Abrahamsen <ivar.abrahamsen@defra.gov.uk>
Date: Tue, 12 Nov 2024 15:55:13 +0000
Subject: [PATCH 1/2] Non strict headers to support Microsoft cookies

---
 src/server/index.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/server/index.js b/src/server/index.js
index 7ca53d569..f7d04c8df 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -76,7 +76,10 @@ async function createServer() {
           client: redisClient
         })
       }
-    ]
+    ],
+    state: {
+      strictHeader: false
+    }
   })
 
   // TODO refactor cache and decorate it on to server and request. No need for it to be on server.app

From 1cb6374d6014d3b093bb5b42eb2ab53c99d855fb Mon Sep 17 00:00:00 2001
From: Ivar Abrahamsen <ivar.abrahamsen@defra.gov.uk>
Date: Tue, 12 Nov 2024 19:34:37 +0000
Subject: [PATCH 2/2] Clearing invalid cookies

---
 src/server/common/helpers/auth/session-cookie.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/server/common/helpers/auth/session-cookie.js b/src/server/common/helpers/auth/session-cookie.js
index 8f91b5c66..736a47624 100644
--- a/src/server/common/helpers/auth/session-cookie.js
+++ b/src/server/common/helpers/auth/session-cookie.js
@@ -20,7 +20,8 @@ const sessionCookie = {
           path: '/',
           password: config.get('sessionCookiePassword'),
           isSecure: config.get('isProduction'),
-          ttl: config.get('sessionCookieTtl')
+          ttl: config.get('sessionCookieTtl'),
+          clearInvalid: true
         },
         keepAlive: true,
         requestDecoratorName: 'sessionCookie',