OLH-2783: Use a session scoped session cookie#2273
Conversation
Remove the max age definition from our session cookie config. This means express-session won't set an `Expires` field on the cookie and therefore browsers will treat our session cookie as scoped to that browser session. In practice, this means that we'll log users out when they close the last tab / window with Home open in it.
|
liegeandlief
left a comment
liegeandlief
left a comment
There was a problem hiding this comment.
If the user doesn't close their browser then their session will last as long it exists in DynamoDB. Where is the expiry of sessions in DynamoDB configured? Do we need to check and maybe adjust that expiry time
| secret: string | ||
| ): any { | ||
| return { | ||
| name: "ams", |
There was a problem hiding this comment.
I think the name here is redundant as the cookies seem to get called am from the session(...) call in app.ts
|
Hmm good point. We do have the TTL configured on that table but I'm not sure how this di-account-management-frontend/deploy/template.yaml Lines 1960 to 1962 in 6963e6a |
|
It's set by the library we're using and will default to "now plus a day" if our session cookie doesn't have an expiry time. That might not work for us 😞 |
Frustrating that the cookie and session expiry can't be configured independently 😖. I wonder how active that library is and whether we could open a PR on it |
|
I've opened a PR with the feature - we shall see! |
2 participants
Proposed changes
What changed
Remove the max age definition from our session cookie config. This means express-session won't set an
Expiresfield on the cookie and therefore browsers will treat our session cookie as scoped to that browser session.In practice, this means that we'll log users out when they close the last tab / window with Home open in it.
Why did it change
Related links
Checklists
Environment variables or secrets
How to review