From fd4aaed208fb862c2f66edbe122f4c4e5d52c765 Mon Sep 17 00:00:00 2001 From: Kevin Morris Date: Wed, 17 Aug 2022 10:01:06 -0700 Subject: [PATCH] fix: use max-age for all cookie expirations in addition, remove cookie expiration for AURREMEMBER -- we don't really care about a session time for this cookie, it merely acts as a flag given out on login to remember what the user selected Signed-off-by: Kevin Morris --- aurweb/routers/auth.py | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/aurweb/routers/auth.py b/aurweb/routers/auth.py index 9f465388..50cec419 100644 --- a/aurweb/routers/auth.py +++ b/aurweb/routers/auth.py @@ -6,7 +6,7 @@ from sqlalchemy import or_ import aurweb.config -from aurweb import cookies, db, time +from aurweb import cookies, db from aurweb.auth import requires_auth, requires_guest from aurweb.exceptions import handle_form_exceptions from aurweb.l10n import get_translator_for_request @@ -65,15 +65,11 @@ async def login_post(request: Request, return await login_template(request, next, errors=["Bad username or password."]) - login_timeout = aurweb.config.getint("options", "login_timeout") - - expires_at = int(time.utcnow() + max(cookie_timeout, login_timeout)) - response = RedirectResponse(url=next, status_code=HTTPStatus.SEE_OTHER) secure = aurweb.config.getboolean("options", "disable_http_login") - response.set_cookie("AURSID", sid, expires=expires_at, + response.set_cookie("AURSID", sid, max_age=cookie_timeout, secure=secure, httponly=secure, samesite=cookies.samesite()) response.set_cookie("AURTZ", user.Timezone, @@ -83,7 +79,6 @@ async def login_post(request: Request, secure=secure, httponly=secure, samesite=cookies.samesite()) response.set_cookie("AURREMEMBER", remember_me, - expires=expires_at, secure=secure, httponly=secure, samesite=cookies.samesite()) return response