Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: CookieStore MaxAge value (#2485) #2488

Merged
merged 5 commits into from
Apr 25, 2021
Merged

fix: CookieStore MaxAge value (#2485) #2488

merged 5 commits into from
Apr 25, 2021

Conversation

romanlytvyn
Copy link
Contributor

Related issue

Solves #2485

Proposed changes

Set CookieStore MaxAge option to 0 during initialization.

CookieStore MaxAge is set to 86400 * 30 by default.
This prevents secure cookies retrieval with expiration > 30 days.
MaxAge: 0 disables MaxAge check by SecureCookie, thus allowing sessions lasting > 30 days.

Checklist

  • I have read the contributing guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security. vulnerability, I
    confirm that I got green light (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further comments

MaxAge can be made configurable, not sure if it's useful though.
Setting MaxAge to any non-zero value puts a hard cap over session remember_for functionality.

@romanlytvyn
fix CookieStore MaxAge value (ory#2485)
d45e1a9 
CookieStore MaxAge is set to 86400 * 30 by default.
This prevents secure cookies retrieval with expiration > 30 days.
MaxAge: 0 disables MaxAge check by SecureCookie, thus allowing sessions lasting > 30 days.
@CLAassistant
Copy link

CLAassistant commented Apr 22, 2021
edited
Loading

CLA assistant check
All committers have signed the CLA.

@romanlytvyn romanlytvyn changed the title fix CookieStore MaxAge value (#2485) fix: CookieStore MaxAge value (#2485) Apr 22, 2021
aeneasr
aeneasr reviewed Apr 23, 2021
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you for your contribution! This looks pretty good and I have some ideas how to improve it further :)

driver/registry_base.go Show resolved Hide resolved
@aeneasr aeneasr merged commit aafc901 into ory:master Apr 25, 2021
@github-actions github-actions bot mentioned this pull request Apr 26, 2021
Closed
1 task
mitar pushed a commit to mitar/hydra that referenced this pull request May 13, 2021
@romanlytvyn @aeneasr @mitar
fix: CookieStore MaxAge value (ory#2485) (ory#2488)
7ac96ab 
CookieStore MaxAge is set to 86400 * 30 by default. This prevents secure cookies retrieval with expiration > 30 days. MaxAge: 0 disables MaxAge check by SecureCookie, thus allowing sessions lasting > 30 days.

Closes  ory#2485

Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@romanlytvyn @CLAassistant @aeneasr