redbird icon indicating copy to clipboard operation
redbird copied to clipboard

Published 20 hours ago verified publisher icon thoughtbot

Session cookie Expires/Max-Age not in sync with expiration_in_seconds

Open jarmo opened this issue 2 years ago • 0 comments

I expected a problem where I did configure Plug.Session like this:

plug Plug.Session,
    store: :redis,
    key: "_session_key",
    expiration_in_seconds: 60

This did work as expected - user was logged out after 60 seconds. However, I also noticed that the cookie, which holds session id does not have Expires/Max-Age set, which means that this is essentially a Session cookie which might get deleted after browser restart.

This causes a problem where expiration_in_seconds is set to a longer period (months, for example), but user still needs to relogin after each browser restart.

That kind of a behavior was unexpected to me since I would have expected that the cookie expiration will be the same as expiration_in_seconds. I did not also find any mentions about this behavior in the README.

I managed to solve this problem with the following configuration:

plug Plug.Session,
    store: :redis,
    key: "_session_key",
    expiration_in_seconds: 60,
    max_age: 60

If this behavior is intentional then maybe at least mention it in the README?

jarmo avatar Nov 28 '21 10:11 jarmo