2 files changed, 9 insertions, 2 deletions

diff --git a/app/api/auth/[...nextauth]/saml/provider.ts b/app/api/auth/[...nextauth]/saml/provider.ts
index 1f891661..8486a690 100644
--- a/app/api/auth/[...nextauth]/saml/provider.ts
+++ b/app/api/auth/[...nextauth]/saml/provider.ts
@@ -248,7 +248,11 @@ export async function createNextAuthToken(user: User): Promise<string> {
 
 // NextAuth 세션 쿠키 이름 가져오기
 export function getSessionCookieName(): string {
-  return process.env.NODE_ENV === 'production' 
+  // NEXTAUTH_URL이 HTTPS인 경우에만 __Secure- 접두사 사용
+  const nextAuthUrl = process.env.NEXTAUTH_URL || '';
+  const isHttps = nextAuthUrl.startsWith('https://');
+  
+  return isHttps 
     ? '__Secure-next-auth.session-token' 
     : 'next-auth.session-token';
 }
diff --git a/app/api/saml/callback/route.ts b/app/api/saml/callback/route.ts
index 7f454cb9..c0290e71 100644
--- a/app/api/saml/callback/route.ts
+++ b/app/api/saml/callback/route.ts
@@ -161,9 +161,12 @@ export async function POST(request: NextRequest) {
     // POST 요청에 대한 응답으로는 303 See Other를 사용하여 GET으로 강제 변환
     const response = NextResponse.redirect(new URL(redirectPath, baseUrl), 303)
     
+    // NEXTAUTH_URL이 HTTPS인 경우에만 secure 쿠키 사용
+    const isHttps = baseUrl.startsWith('https://');
+    
     response.cookies.set(cookieName, encodedToken, {
       httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
+      secure: isHttps,
       sameSite: 'lax',
       path: '/',
       maxAge: 30 * 24 * 60 * 60 // 30일