lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): set an explicit session cookie lifetime

Browse source 
The session cookie relied on Starlette's default max_age (two weeks), which is
easy to miss and longer than an OP session should live. Add a session_max_age
setting (default 8 hours) and pass it to SessionMiddleware.

Refs: porchlight-1lg

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Johan Lundberg 2026-06-08 10:26:57 +02:00
parent cf2754f302
commit cba63280fb
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
3 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
tests/test_app.py
View file

@ -75,3 +75,12 @@ def test_create_app_allows_missing_secret_on_localhost() -> None:
def test_create_app_allows_missing_secret_in_debug() -> None:
settings = Settings(issuer="https://op.example.com", sqlite_path=":memory:", debug=True)
assert create_app(settings) is not None
async def test_session_cookie_has_explicit_max_age(client: AsyncClient) -> None:
# Visiting /login establishes a session (CSRF token), setting the cookie.
res = await client.get("/login")
set_cookies = res.headers.get_list("set-cookie")
session_cookies = [c for c in set_cookies if c.startswith("session=")]
assert session_cookies, "no session cookie set"
assert "Max-Age=28800" in session_cookies[0]