2911 used the SESSION_EXPIRE_AT_BROWSER_CLOSE setting to implement browser-sessions (vs persistent-sessions). This removes the Expires= tag on the sessionid cookie. Previously, the Expires= tag was being managed by the custom SESSION_TIMEOUT variable (which only managed the cookie expiration, not the django session timeout).
Django manages session timeouts and cookie expirations using the same variable, SESSION_COOKIE_AGE. This defaults to 30 minutes, meaning any sessions longer than 30 minutes are cut off (timeout rather than keep-alive). The backend session timeout needs to be increased without setting the cookie's Expires= tag. Since SESSION_EXPIRE_AT_BROWSER_CLOSE is True, the Expires= tag still won't be set, but django's backend session timeout will.
Acceptance Criteria
[ ] Identify session timeout/expiration for the jwt provided by login.gov
[ ] Parameterize environment variable value for SESSION_COOKIE_AGE (match or lower than login.gov jwt expiration)
[ ] Remove unused SESSION_TIMEOUT variable in common.py and usages throughout the authentication api
Description
2911 used the
SESSION_EXPIRE_AT_BROWSER_CLOSE
setting to implement browser-sessions (vs persistent-sessions). This removes theExpires=
tag on thesessionid
cookie. Previously, theExpires=
tag was being managed by the customSESSION_TIMEOUT
variable (which only managed the cookie expiration, not the django session timeout).Django manages session timeouts and cookie expirations using the same variable,
SESSION_COOKIE_AGE
. This defaults to 30 minutes, meaning any sessions longer than 30 minutes are cut off (timeout rather than keep-alive). The backend session timeout needs to be increased without setting the cookie'sExpires=
tag. SinceSESSION_EXPIRE_AT_BROWSER_CLOSE
isTrue
, theExpires=
tag still won't be set, but django's backend session timeout will.Acceptance Criteria
SESSION_COOKIE_AGE
(match or lower than login.gov jwt expiration)SESSION_TIMEOUT
variable incommon.py
and usages throughout the authentication api