When OAuth2 login is enabled, SERVER_SERVLET_SESSION_TIMEOUT seems not to take effect properly

[NagaseYami]

Steps to reproduce

• Run komga with Docker
• Run Authelia with Docker
• Follow this guide to setup OAuth2
• Sign in with Authelia
• Restart my browser
• Now I have to sign in again

Here is my application.yml file, which is almost identical to the example from Authelia, except that I added a session setting.

komga:
  oauth2-account-creation: true
server:
  servlet:
    session:
      timeout: 7d
spring:
  security:
    oauth2:
      client:
        registration:
          authelia:
            client-id: komga
            client-secret: <my-secret>
            client-name: Authelia
            scope: openid,profile,email
            authorization-grant-type: authorization_code
            redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/login/oauth2/code/authelia"
        provider:
          authelia:
            issuer-uri: https://auth.example.com
            user-name-attribute: preferred_username

Expected behavior

server.servlet.session.timeout works.

Actual behavior

Every time I restart the browser, I need to sign in again.

Logs

No response

Komga version

v1.11.1-master

Operating system

Windows 11 & Chromium 124.0.6367.156-r1274542

Installation method

Docker

Other details

No response

Acknowledgements

• [X] I have searched the existing issues (open AND closed) and this is a new ticket, NOT a duplicate or related to another open issue.
• [X] I have written a short but informative title.
• [X] I have checked the FAQ.
• [X] I have updated the app to the latest version.
• [X] I will fill out all of the requested information in this form.

[gotson]

Does your browser clear cookies on restart maybe ? Session on client side is stored in cookies.

Also, was the server restarted or was it running all the time ? Sessions are only stored in memory.

[NagaseYami]

Does your browser clear cookies on restart maybe ? Session on client side is stored in cookies.您的浏览器是否会在重新启动时清除 cookie？客户端的会话存储在cookie中。

Also, was the server restarted or was it running all the time ? Sessions are only stored in memory.另外，服务器是重新启动还是一直在运行？会话仅存储在内存中。

If my browser clears cookies on every restart, then my SSO (Authelia) would also log out. And I've been checking by looking at the docker logs, so the server has been running continuously. But your suspicion is reasonable, because this issue cannot be reproduced on the Mihon Komga plugin.(That means I don't need to sign in again after restart Mihon)

[NagaseYami]

I think I've found the reason. Following your suggestion, I checked the Cookies, and I found that after a successful login, Komga creates a cookie called SESSION, but its Expires/Max-Age property is set to Session. So this cookie gets cleared every time I restart the browser.

[gotson]

But your suspicion is reasonable, because this issue cannot be reproduced on the Mihon Komga plugin.(That means I don't need to sign in again after restart Mihon)

not really relevant, since Mihon has credentials and will transparently login if needed.

[gotson]

Komga creates a cookie called SESSION, but its Expires/Max-Age property is set to Session. So this cookie gets cleared every time I restart the browser.

normally that shouldn't matter when remember-me is checked, but for OAuth2 i am not sure that would actually have any effect.

There's a property server.servlet.session.cookie.max-age but it doesn't get picked up for now in Komga because there's some override of the default behaviour.

I guess I could add support for this property, so if it is defined it would be used. I suppose that would address your concern ?

[gotson]

Ideally the remember-me checkbox should apply to OAuth2, but it doesn't. I raised this https://github.com/spring-projects/spring-security/issues/15078 let's see if that gets accepted or not.

[NagaseYami]

I guess I could add support for this property, so if it is defined it would be used. I suppose that would address your concern ?

Thank you very much, but I don't think this issue is a critical one at the moment. So I think it's okay to wait for the result of https://github.com/spring-projects/spring-security/issues/15078 before taking any action. There's no need to rush to add a temporary solution to Komga. I can try using some cookie management Chrome extensions as a temporary workaround.