cookies: add option for explicit TTL from session expiration

[AlexCuse]

We are seeing an issue on mobile safari where cookies with implied expires= Session don't survive with the tab and hoping setting an explicit TTL will help the browser hang onto them.

[AlexCuse]

How do you plan to choose a ttlSeconds? Will it be based somehow on the access token lifetime?

Our plan was to keep a relatively short access token lifespan but keeping the cookie written by our app around longer to be used in refreshes, making that the effective ttl. But it will be a bit of a balancing act - if we need to to get it working we'll go as high with access token ttl as we do on the cookie, but we consider the frequent refreshes a feature we want to keep in most cases. Just running into what seems like problems with mobile browsers and "hibernating" tabs and looking to improve UX if we can.

[AlexCuse]

Thinking about this more I wonder if dynamically deriving from the token expiry might be a better approach.

[cainlevy]

This library already relies on the token expiry for refreshes. 👍

[cainlevy]

@AlexCuse is this ready for release? i don't have any comments.

[AlexCuse]

@cainlevy I think it should be in good shape just finished verifying everything in a local build of our app. Adding the optionality is nice so if there are any issues should only affect people who are using the new expiration functionality.

[cainlevy]

released in v1.4.0