allow setting cookie max age

In some settings 'session cookies' are not preferred, since they can be very long lived. This allows set the cookie max age to auto expire cookies
mu-semtech · Aug 26, 2024 · 01f0fee · 01f0fee
1 parent 1297bc0
commit 01f0fee
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -170,6 +170,7 @@ All settings are configured through environment variables.
 * `SESSION_COOKIE_SECURE`: Set SECURE flag of the session cookie (see [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie))
 * `SESSION_COOKIE_HTTP_ONLY`: Set HTTP_ONLY flag of the session cookie (see [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie)), on by default.
 * `SESSION_COOKIE_SAME_SITE`: Set SAME_SITE flag of the session cookie (see [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie)), "Lax" by default unless `DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER` is "*" then "None" by default.  This means the cookie is available only on your site unless you've also set the CORS header.
+* `SESSION_COOKIE_MAX_AGE`: Set the number of seconds until the cookie expires. By default this is not set and the cookie is a [session cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#expiresdate).
 * `IDLE_TIMEOUT`: the amount of time (in ms) that idle requests will be kept open (see [`idle_timeout` in the Cowboy docs](https://ninenines.eu/docs/en/cowboy/2.5/manual/cowboy_http/))
 * `OVERRIDE_VARY_HEADER`: EXPERIMENTAL When set, the [`Vary` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Vary) is overriden with the specified variable, regardless of what the backend provides.
 

diff --git a/config/config.exs b/config/config.exs
@@ -49,6 +49,7 @@ config :mu_identifier,
   default_access_control_allow_origin_header:
     System.get_env("DEFAULT_ACCESS_CONTROL_ALLOW_ORIGIN_HEADER"),
   default_mu_auth_allowed_groups_header: System.get_env("DEFAULT_MU_AUTH_ALLOWED_GROUPS_HEADER"),
+  session_cookie_max_age:  System.get_env("SESSION_COOKIE_MAX_AGE")
   session_cookie_secure: CH.system_boolean("SESSION_COOKIE_SECURE", false),
   session_cookie_http_only: CH.system_boolean("SESSION_COOKIE_HTTP_ONLY", true),
   session_cookie_same_site: CH.calculate_same_site(),

diff --git a/lib/proxy.ex b/lib/proxy.ex
@@ -63,11 +63,18 @@ defmodule Proxy do
   end
 
   def opts_from_environment do
-    [
+    base_opts = [
       secure: Application.get_env(:mu_identifier, :session_cookie_secure),
       http_only: Application.get_env(:mu_identifier, :session_cookie_http_only),
       same_site: Application.get_env(:mu_identifier, :session_cookie_same_site)
     ]
+
+    max_age = Application.get_env(:mu_identifier, :session_cookie_max_age)
+
+    case max_age do
+      nil -> base_opts
+      age -> base_opts ++ [max_age: String.to_integer(age)]
+    end
   end
 
 end