fix(security): set an explicit session cookie lifetime

The session cookie relied on Starlette's default max_age (two weeks), which is
easy to miss and longer than an OP session should live. Add a session_max_age
setting (default 8 hours) and pass it to SessionMiddleware.

Refs: porchlight-1lg

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Johan Lundberg 2026-06-08 10:26:57 +02:00
parent cf2754f302
commit cba63280fb
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
3 changed files with 11 additions and 0 deletions

View file

@ -143,6 +143,7 @@ def create_app(settings: Settings | None = None) -> FastAPI:
secret_key=session_secret,
same_site="lax",
https_only=settings.session_https_only,
max_age=settings.session_max_age,
)
# Rate limiting

View file

@ -48,6 +48,7 @@ class Settings(BaseSettings):
# Session
session_secret: str | None = None # If None, a random secret is generated per process
session_https_only: bool = True
session_max_age: int = 28800 # Cookie lifetime in seconds (default 8 hours)
# WebAuthn user verification requirement: "preferred" (default), "required",
# or "discouraged". Identity providers may want "required".