Add maxAge to cookie options

[skid]

Is your feature request related to a problem? Please describe.

The problem with the sessionDuration setting is that it looks at the session record in the database only and decides to kill the session based on the last access time. However, the session and session.sig cookies don't have a maxAge setting so they expire when the browser session expires, which is unpredictable. On desktops, it's usually when you close the browser, but on mobile it's whenever the OS decides (mostly). This leads to random logouts for users.

A simple way to fix this is to allow the maxAge setting in cookieOptions which will be passed to the cookie expressed middleware.

[michaelbromley]

I'll add maxAge to the interface. For now, you should still actually be able to add it (although you'll need to make TypeScript happy) as the entire object gets passed as-is to the cookieSession middleware.

Note that currently, we do set maxAge when logging in with the rememberMe: true input set:

vendure/packages/core/src/api/common/set-session-token.ts

Line 28 in fc6b890

req.sessionOptions.maxAge = ms('1y');