Session extension in SPA

[hero101]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] This issue affects my Ory Cloud project.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

We have started using the session extend API to extend user sessions after requests to our backend server. The session is correctly extended, but the web client is logged out after the session cookie has expired because its expiry date has been set at the time of the login and is not refreshed anymore.

Reproducing the bug

1. Extend a session using the admin session management API
2. Observe that the session is extended correctly via sessions/whoami
3. The session cookie is not updated on the client-side, which results in the client being logged out after the cookie expiry

Expected behavior: The client cookie is refreshed so the browser is not being logged out

Relevant log output

No response

Relevant configuration

No response

Version

0.10.1

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes

Additional Context

No response

[aeneasr]

Thank you for the report, this indeed needs to be fixed!

We should probably add a check here

https://github.com/ory/kratos/blob/f09b1b3701c6deda4d25cebb7ccf2e97089be32a/session/manager_http.go#L133-L153

which verifies if the expiry time has changed. Ffor this we could add the original expiry time to the session cookie's values by adding something like session.Values["session_exp"] = session.ExpiresAt

https://github.com/ory/kratos/blob/f09b1b3701c6deda4d25cebb7ccf2e97089be32a/session/manager_http.go#L100

If it has, we re-issue the session cookie.