Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional allowed cookieOptions #53

Merged
merged 4 commits into from
Jan 23, 2020
Merged

Additional allowed cookieOptions #53

merged 4 commits into from
Jan 23, 2020

Conversation

joshcanhelp
Copy link
Contributor

@joshcanhelp joshcanhelp commented Jan 16, 2020
edited
Loading

Description

  • Adds an ephemeral flag to appSessionCookie that, when true, will set the expire attribute for the session cookie to 0. Default value is false, which will use the appSessionDuration to set the cookie expiration.
  • Changes the default sameSite value in appSessionCookie to Lax. This does not change the behavior of the nonce or state cookies.

From the documentation:

Object defining application session cookie attributes. Allowed keys are domain, ephemeral, httpOnly, path, secure, and sameSite. Defaults are true for httpOnly, Lax for sameSite, and false for ephemeral. See the Express Response documentation for more information on all properties except ephemeral.

References

Testing

  • This change adds test coverage for new/changed/fixed functionality

@joshcanhelp joshcanhelp marked this pull request as ready for review January 17, 2020 00:00
@joshcanhelp joshcanhelp requested a review from a team January 17, 2020 00:02
@joshcanhelp joshcanhelp added this to the v0.7.0 milestone Jan 17, 2020
stevehobbsdev
stevehobbsdev previously approved these changes Jan 17, 2020
View reviewed changes
panva
panva suggested changes Jan 17, 2020
View reviewed changes
Copy link
Contributor

@panva panva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Giving developers the option to set expires sounds like they should be configuring it, when in fact you'd only wanna use it to set it to 0 to get ephemeral cookies.

So why not call it ephemeral: true in the first place?

I don't think I'd ever have a case where I want use maxAge or expires, because for duration, i have the duration configuration option and i always figure they should be aligned (cookie and the JWE expiration).

Please get rid of maxAge as well as expires, and just have one boolean to get the removed feature in 08e6702

@joshcanhelp
Additional allowed cookieOptions
dfc3077 
Added `expires` allowed as null or 0 to set an ephemeral cookie (documented
method of setting duration to 0 did not work). Also added `maxAge` as an
additional way to set this cookie duration. If both are omitted, cookie expires
defaults to appSessionDuration.
@joshcanhelp
Add tests for cookies set; avoid config mutation
b4f6c24
@joshcanhelp joshcanhelp requested a review from a team January 18, 2020 00:44
@joshcanhelp joshcanhelp mentioned this pull request Jan 22, 2020
Closed
stevehobbsdev
stevehobbsdev reviewed Jan 23, 2020
View reviewed changes
lib/appSession.js Outdated Show resolved Hide resolved
@stevehobbsdev stevehobbsdev self-requested a review January 23, 2020 12:40
@joshcanhelp joshcanhelp merged commit 5ef59b1 into auth0:master Jan 23, 2020
@joshcanhelp joshcanhelp deleted the fix-session-cookie-opts branch January 23, 2020 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@panva panva panva approved these changes

@stevehobbsdev stevehobbsdev stevehobbsdev approved these changes

Assignees
No one assigned
Labels
CH: Fixed review:small Small review
Projects
None yet
Milestone
v0.7.0
Development

Successfully merging this pull request may close these issues.
3 participants
@joshcanhelp @panva @stevehobbsdev