- Notifications
You must be signed in to change notification settings - Fork6k
Cookie Expiration Age Fix#7327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
code-asher left a comment• edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Thank you for the contribution! Looks good to me so far. We will have to add it tosrc/node/cli.ts as well.
The. syntax is intriguing, but I want to say we call itauth-cookie-max-age for now.
| @@ -326,6 +335,7 @@ export const getCookieOptions = (req: express.Request): express.CookieOptions => | |||
| domain: getCookieDomain(url.host, req.args["proxy-domain"]), | |||
| path: normalize(url.pathname) || "/", | |||
| sameSite: "lax", | |||
| maxAge: getConfigCookieMaxAgeAsMilliseconds(req) || 0, | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Oh wait is0 the right default? This will delete the cookie instantly, I think? We may want-1.
code-asherApr 28, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Hmm actually zero or negative immediately expires the cookie it seems.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#max-agenumber
https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.2
Should it just be undefined? Also we may want?? instead of|| in case someone does explicitly set it to zero for some reason.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I'd read it in the Express JS docs setting it to 0 makes it session
https://expressjs.com/en/api.html#res.cookie
They gave this explanation to theexpires parameter, but also saidmaxAge is a "Convenient option for setting the expiry time relative to the current time in milliseconds". They didn't specify what to put here to make it session, nor what the default is.
code-asherApr 30, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Yeah I also thought maybe it was an Express thing, but when I checked the source it seems to just immediately expire.
IfmaxAge is zero, it passesexpires set to now andmaxAge set to zero intocookie.serialize():
cookie.serialize() simply addsMax-Age=0 andExpires=<the now date> to the cookie:
Now, ifexpires is zero (although this is actually a type error), and there is no max age it does indeed skip settingExpires in that case, which would result in a session cookie. The difference is they doif (options.maxAge !== undefined) versusif (options.expires), so zero is not ignored in the max age case.
nb-programmerMay 6, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Yeah I also thought maybe it was an Express thing, but when I checked the source it seems to just immediately expire.
If
maxAgeis zero, it passesexpiresset to now andmaxAgeset to zero intocookie.serialize():
cookie.serialize()simply addsMax-Age=0andExpires=<the now date>to the cookie:Now, if
expiresis zero (although this is actually a type error), and there is no max age it does indeed skip settingExpiresin that case, which would result in a session cookie. The difference is they doif (options.maxAge !== undefined)versusif (options.expires), so zero is not ignored in the max age case.
Hmm, what would be a good way to ensure it is properly a session cookie?Sending or we can just skip the field if there is no config for it.null seems illogical, but would work,
Edit:null won't work since theserialize method just checks for undefined, and raises an error if its not an integer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Yeah I think something likemaxAge: getConfigCookieMaxAgeAsMilliseconds(req) ?? undefined would do the trick.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Ah waitgetConfigCookieMaxAgeAsMilliseconds always returns a number, so we would have to do it in there. We could returnnumber | undefined.
Uh oh!
There was an error while loading.Please reload this page.
Fixes#7301
Fixes#5437