Conversation
| domain: getCookieDomain(url.host, req.args["proxy-domain"]), | ||
| path: normalize(url.pathname) || "/", | ||
| sameSite: "lax", | ||
| maxAge: getConfigCookieMaxAgeAsMilliseconds(req) || 0, |
There was a problem hiding this comment.
Oh wait is 0 the right default? This will delete the cookie instantly, I think? We may want -1.
There was a problem hiding this comment.
Hmm actually zero or negative immediately expires the cookie it seems.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#max-agenumber
https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.2
Should it just be undefined? Also we may want ?? instead of || in case someone does explicitly set it to zero for some reason.
There was a problem hiding this comment.
I'd read it in the Express JS docs setting it to 0 makes it session
https://expressjs.com/en/api.html#res.cookie
They gave this explanation to the expires parameter, but also said maxAge is a "Convenient option for setting the expiry time relative to the current time in milliseconds". They didn't specify what to put here to make it session, nor what the default is.
There was a problem hiding this comment.
Yeah I also thought maybe it was an Express thing, but when I checked the source it seems to just immediately expire.
If maxAge is zero, it passes expires set to now and maxAge set to zero into cookie.serialize():
cookie.serialize() simply adds Max-Age=0 and Expires=<the now date> to the cookie:
Now, if expires is zero (although this is actually a type error), and there is no max age it does indeed skip setting Expires in that case, which would result in a session cookie. The difference is they do if (options.maxAge !== undefined) versus if (options.expires), so zero is not ignored in the max age case.
There was a problem hiding this comment.
Yeah I also thought maybe it was an Express thing, but when I checked the source it seems to just immediately expire.
If
maxAgeis zero, it passesexpiresset to now andmaxAgeset to zero intocookie.serialize():
cookie.serialize()simply addsMax-Age=0andExpires=<the now date>to the cookie:Now, if
expiresis zero (although this is actually a type error), and there is no max age it does indeed skip settingExpiresin that case, which would result in a session cookie. The difference is they doif (options.maxAge !== undefined)versusif (options.expires), so zero is not ignored in the max age case.
Hmm, what would be a good way to ensure it is properly a session cookie? Sending or we can just skip the field if there is no config for it.null seems illogical, but would work,
Edit: null won't work since the serialize method just checks for undefined, and raises an error if its not an integer.
There was a problem hiding this comment.
Yeah I think something like maxAge: getConfigCookieMaxAgeAsMilliseconds(req) ?? undefined would do the trick.
There was a problem hiding this comment.
Ah wait getConfigCookieMaxAgeAsMilliseconds always returns a number, so we would have to do it in there. We could return number | undefined.
|
Closing for now but happy to re-review if you come back to this. |
3 participants
Fixes #7301
Fixes #5437