The Wayback Machine - https://web.archive.org/web/20210908030228/https://github.com/ory/hydra/pull/2488
Skip to content

/ hydra

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: CookieStore MaxAge value (#2485) #2488

Merged
merged 5 commits into from Apr 25, 2021
Merged

fix: CookieStore MaxAge value (#2485) #2488

merged 5 commits into from Apr 25, 2021

Conversation

@romanlytvyn
Copy link
Contributor

@romanlytvyn romanlytvyn commented Apr 22, 2021

Related issue

Solves #2485

Proposed changes

Set CookieStore MaxAge option to 0 during initialization.

CookieStore MaxAge is set to 86400 * 30 by default.
This prevents secure cookies retrieval with expiration > 30 days.
MaxAge: 0 disables MaxAge check by SecureCookie, thus allowing sessions lasting > 30 days.

Checklist

  • I have read the contributing guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security. vulnerability, I
    confirm that I got green light (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further comments

MaxAge can be made configurable, not sure if it's useful though.
Setting MaxAge to any non-zero value puts a hard cap over session remember_for functionality.
@romanlytvyn
fix CookieStore MaxAge value (#2485)
d45e1a9 
CookieStore MaxAge is set to 86400 * 30 by default.
This prevents secure cookies retrieval with expiration > 30 days.
MaxAge: 0 disables MaxAge check by SecureCookie, thus allowing sessions lasting > 30 days.
@CLAassistant
Copy link

@CLAassistant CLAassistant commented Apr 22, 2021
edited

CLA assistant check
All committers have signed the CLA.
@romanlytvyn romanlytvyn changed the title fix CookieStore MaxAge value (#2485) fix: CookieStore MaxAge value (#2485) Apr 22, 2021
@aeneasr
aeneasr reviewed Apr 23, 2021
View changes
Copy link
Member

@aeneasr aeneasr left a comment

Awesome, thank you for your contribution! This looks pretty good and I have some ideas how to improve it further :)
driver/registry_base.go Show resolved Hide resolved
romanlytvyn and others added 4 commits Apr 23, 2021
@romanlytvyn
add comment describing the change
e74307a
@romanlytvyn
Merge branch 'master' into fix-cookiestore-maxage
4e2fa1a
@romanlytvyn
Merge branch 'master' into fix-cookiestore-maxage
d8fba52
@aeneasr
Merge branch 'master' into fix-cookiestore-maxage
ce2c0fe
@aeneasr aeneasr merged commit aafc901 into ory:master Apr 25, 2021
11 checks passed
11 checks passed
@github-actions
Analyze (go) Analyze (go)
Details
@github-actions
oidc-conformity
Details
@github-actions
Analyze (javascript) Analyze (javascript)
Details
@github-code-scanning
CodeQL No new or fixed alerts
Details
@semantic-pull-requests
Semantic Pull Request ready to be squashed
Details
@circleci-checks
bdt Workflow: bdt
Details
ci/circleci: cli Your tests passed on CircleCI!
Details
ci/circleci: generate Your tests passed on CircleCI!
Details
ci/circleci: test Your tests passed on CircleCI!
Details
ci/circleci: test-e2e Your tests passed on CircleCI!
Details
license/cla Contributor License Agreement is signed.
Details
@github-actions github-actions bot mentioned this pull request Apr 26, 2021
Open
1 task
mitar added a commit to mitar/hydra that referenced this pull request May 13, 2021
@romanlytvyn @aeneasr @mitar
fix: CookieStore MaxAge value (ory#2485) (ory#2488)
7ac96ab 
CookieStore MaxAge is set to 86400 * 30 by default. This prevents secure cookies retrieval with expiration > 30 days. MaxAge: 0 disables MaxAge check by SecureCookie, thus allowing sessions lasting > 30 days.

Closes  ory#2485

Co-authored-by: hackerman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants
@romanlytvyn @CLAassistant @aeneasr