In order to make edx-jwt-… a session cookies, we’d have to use response.set_cookie without setting an expires param, which should make it session. There’s a method user_authn.cookies._create_and_set_jwt_cookies which sets these. It calls _set_expires_in_cookie_settings, passing in settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION']. Can that be set to a None or something? No, _set_expires_in_cookie_settings this assumes an integer passed in. So, can’t make this a session cookie withiout any direct change to the edx-platform code.
Change description
Bryans comments:
Type of change
Related issues
Checklists
Development
Security
Code review