Possible to use session (in-memory) cookies?

[awarberg]

Our product was recently subject to a pentest and we received a warning due to the use of persisted cookies, as per the Max-Age cookie setting.

I have reviewed the source code and it does not seem as if session cookies are possible, because the max-age will always be set to some number, regardless of how applySession is called.

Is it possible to enable session (in-memory / non-persisted) cookies and how?

Thank you.

[vvo]

@awarberg I am up for it, I guess it would require a change in how options are dealt with so you can provide a value for Max-Age that says "session cookies". This will require changes in the library, adding tests and a major version. I can do the major version but you'll need to add the new feature and a small test.

This should be an "easy enough" change, clone the code, dive into it, see where the options are dealt with, find the right option from the cookie library and give it a try.

Good luck!

PS: Since you mentioned pentest, if you're a big enough company, I can also do that change for you as a paid service, email me at vincent@codeagain.com if that's the case.