That's basically it, nothing changes about our signin workflow. The values set by SESSION_TIMEOUT were being overriden by SESSION_EXPIRE_AT_BROWSER_CLOSE's behavior of removing the Expires= from the cookie. You can run the tests from #2911 that verify the session cookie behavior.
Deliverables
More details on how deliverables herein are assessed included here.
Summary of Changes
Pull request closes #2954
SESSION_TIMEOUT
which hasn't controlled the session timeout since #2911extendSESSION_COOKIE_AGE
to match the expiration of the jwt provided by login.gov - the expiration in the dev environment was only 15 minutesHow to Test
That's basically it, nothing changes about our signin workflow. The values set by
SESSION_TIMEOUT
were being overriden bySESSION_EXPIRE_AT_BROWSER_CLOSE
's behavior of removing theExpires=
from the cookie. You can run the tests from #2911 that verify the session cookie behavior.Deliverables
More details on how deliverables herein are assessed included here.
Deliverable 1: Accepted Features
Checklist of ACs:
SESSION_COOKIE_AGE
(match or lower than login.gov jwt expiration)SESSION_TIMEOUT
variable incommon.py
and usages throughout the authentication apilfrohlich
and/oradpennington
confirmed that ACs are met.Deliverable 2: Tested Code
CodeCov Report
comment in PR)CodeCov Report
comment in PR)Deliverable 3: Properly Styled Code
Deliverable 4: Accessible
iamjolly
andttran-hub
using Accessibility Insights reveal any errors introduced in this PR?Deliverable 5: Deployed
Deliverable 6: Documented
Deliverable 7: Secure
Deliverable 8: User Research
Research product(s) clearly articulate(s):