Sessions expire despite setting Passwordless.expires_at

[z3ugma]

Hello! I'm having a really hard time debugging this one.

My intended behavior would be that once the user clicks the login link sent to their email, they stay logged into that browser forever or until they visit the logout link.

Currently, users are logged out in under 12 hours (timing not exact), even when the browser session stays open.

Here is some of my setup:

Initializer config/initializers/passwordless.rb

Passwordless.default_from_address = ENV['MAILER_SENDER']

Passwordless.expires_at = lambda { 16.years.from_now } # How long until a passwordless session expires.
Passwordless.timeout_at = lambda { 12.hours.from_now } # How long until a magic link expires.

# Default redirection paths
Passwordless.success_redirect_path = '/recipes' # When a user succeeds in logging in.
Passwordless.failure_redirect_path = '/' # When a a login is failed for any reason.
Passwordless.sign_out_redirect_path = '/' # When a user logs out.

Passwordless.after_session_save = lambda do |session, request|
  PasswordlessMailer.magic_link(session).deliver_later
end

The user ends up with these cookies:

There is a further configuration in config/application.rb:

module Mise
  class Application < Rails::Application
    # Initialize configuration defaults for originally generated Rails version.
    config.load_defaults 6.0

    config.session_store :cookie_store, {:expire_after => 1.year}
    config.always_write_cookie = true

I see the _session_id cookie which expires in 1 year, which I expect is coming from the Rails :cookie_store, and the _mise_session which I expect is from Passwordless, with an expiration of Session.

I'd like the Passwordless cookie to have near-permanent cookie persistence, and persist even after the browser tab has been closed. I don't understand why users are being logged out after ~12 hours even when the browser stays open, however.

[fa11enangel]

@z3ugma thank you for the hints. This is what I did mapped to your example:

As I don't want to pollute my application.rb with additional setup, I've created a separate file in initializers called _config/initializers/sessionstore.rb for session setup:

Rails.application.config.session_store :cookie_store, expire_after: 1.year, key: "_mise_session"

Your solution was almost right, but you have to consider:

• By defining a new session store, rails use _session_id_ as name by default, until you define a key (see above) for this.
• If you work/debug cookies, always remove any old cookies before you go on or you will mess with 2 or even more sessions.
• I would remove this line: config.always_write_cookie = true. Making life easier in development, privacy thing and don't set anything until you have to. If it is set, it hast a reason.

Hope it'll help solve your problem.