search

mojolicious / mojo

:sparkles: Mojolicious - Perl real-time web framework
https://mojolicious.org
Artistic License 2.0
2.66k stars 576 forks source link

max-age for session cookies #1665

Closed Skeeve closed 3 years ago

Skeeve commented 3 years ago

After reading https://mrcoles.com/blog/cookies-max-age-vs-expires/

and checking that session keys do not have a max-age, I think this needs to be added

my %maxAge = {};
$maxAge{'max-age'} = $expiration if $expiration;

after this line: https://github.com/mojolicious/mojo/blob/103b2214cd176c2987ff75e4e8e05492509e3403/lib/Mojolicious/Sessions.pm#L49

and this: https://github.com/mojolicious/mojo/blob/103b2214cd176c2987ff75e4e8e05492509e3403/lib/Mojolicious/Sessions.pm#L53

should become:

  my $options = {
    domain   => $self->cookie_domain,
    expires  => $session->{expires},
    httponly => 1,
    path     => $self->cookie_path,
    samesite => $self->samesite,
    secure   => $self->secure,
    %$maxAge
  };
kraih commented 3 years ago

You're saying we "need" to make changes, but give no reasons for why. I'm afraid this issue will go nowhere.

Skeeve commented 3 years ago

I don't care. I thought it would be better to have max-age.