BUG: Session expiry not configurable in Docker; user cookies outlive session boundary #3223
Description
Describe the bug
maxSessionDuration is not exposed in the Docker configuration, making it impossible to enforce session expiry in Docker deployments without providing a custom config file. Additionally, user* cookies are always issued with a hardcoded 60-second lifetime regardless of how much session time remains, causing them to outlive the session boundary.
To Reproduce
Steps to reproduce the behavior:
Configure auth in a Docker deployment without a custom config file
Observe that there is no TEMPORAL_MAX_SESSION_DURATION environment variable available
Alternatively: configure maxSessionDuration to less than 60 seconds
Log in and wait for the session to expire
Observe that user* cookies remain valid in the browser beyond the session limit, while API calls return 401 errors
Expected behavior
Docker operators should be able to set session expiry via TEMPORAL_MAX_SESSION_DURATION. User cookies should never outlive the configured session boundary.
Additional context
The maxSessionDuration field exists in the Auth config struct (server/server/config/config.go) and is enforced server-side via ValidateSessionDuration, but it is not wired into docker.yaml, so Docker operators have no way to set it without a fully custom config file.
On server/server/auth/auth.go, SetUser always issues user* cookies with MaxAge hardcoded to 60 seconds. This means that when maxSessionDuration is shorter than 60 seconds, the browser retains tokens past the session limit. On the final token refresh before session expiry, newly issued user* cookies can outlive the session by up to 60 seconds, leaving the UI appearing authenticated while all API requests return 401.