fix(security): set an explicit session cookie lifetime
The session cookie relied on Starlette's default max_age (two weeks), which is easy to miss and longer than an OP session should live. Add a session_max_age setting (default 8 hours) and pass it to SessionMiddleware. Refs: porchlight-1lg Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
cf2754f302
commit
cba63280fb
3 changed files with 11 additions and 0 deletions
|
|
@ -143,6 +143,7 @@ def create_app(settings: Settings | None = None) -> FastAPI:
|
|||
secret_key=session_secret,
|
||||
same_site="lax",
|
||||
https_only=settings.session_https_only,
|
||||
max_age=settings.session_max_age,
|
||||
)
|
||||
|
||||
# Rate limiting
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ class Settings(BaseSettings):
|
|||
# Session
|
||||
session_secret: str | None = None # If None, a random secret is generated per process
|
||||
session_https_only: bool = True
|
||||
session_max_age: int = 28800 # Cookie lifetime in seconds (default 8 hours)
|
||||
|
||||
# WebAuthn user verification requirement: "preferred" (default), "required",
|
||||
# or "discouraged". Identity providers may want "required".
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue