Skip to content

FEAT: Configurable session cookie max-age (0 = session-only) #1581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

FEAT: Configurable session cookie max-age (0 = session-only) #1581

wants to merge 2 commits into from

Conversation

@WilberC
Copy link

@WilberC WilberC commented Aug 10, 2025

Session cookie persistence

Overview

  • server.sessionCookieMaxAgeMinutes controls the browser persistence of the JSESSIONID cookie.
  • Default is 0 → session-only cookie (no persistent Max-Age) [Currently is working like this].
  • Set to a positive number (minutes) to make the cookie persistent.

Configure

Edit your server.conf:

server.sessionCookieMaxAgeMinutes = 0
  • Keep at 0 for session-only cookies.
  • Example for 30 days persistence:
server.sessionCookieMaxAgeMinutes = 43200

Restart the server to apply changes.

What changes

  • When > 0: Jetty issues Set-Cookie: JSESSIONID; Max-Age=<minutes*60>; HttpOnly.
  • When 0: No Max-Age is set (session cookie).
  • Server-side session inactivity timeout after login remains 30 days; this setting only affects browser persistence.

Verify

  1. Set desired value in server.conf, restart.
  2. Login via WebUI.
  3. Check response headers or browser devtools:
    • With 0: Set-Cookie: JSESSIONID has no Max-Age.
    • With 5: header includes Max-Age=300.

Notes

  • Use session-only (0) for stricter security/privacy.
  • Use persistence for convenience on trusted devices/hosts.

WilberC added 2 commits August 10, 2025 04:15
@WilberC
Enhance session management in Javalin setup
ebbd8e0 
- Added configuration for Jetty session cookie handling, allowing for persistent cookies based on the new `server.sessionCookieMaxAgeMinutes` setting.
- Updated session inactivity timeout to extend from ~30 minutes to 30 days.
@WilberC
Refactor session cookie configuration in Javalin setup
81b40fe 
- Simplified Jetty session cookie handling by directly using the `sessionCookieMaxAgeMinutes` from the server configuration.
Syer10
Syer10 requested changes Aug 12, 2025
View reviewed changes
server/src/main/resources/server-reference.conf

# Sessions
# 0 = default session cookie behavior (no persistent Max-Age); >0 = persistent JSESSIONID with given max-age in minutes
server.sessionCookieMaxAgeMinutes = 0
Copy link
Collaborator

@Syer10 Syer10 Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would say put it under authentication and name it simpleAuthSessionCookieMaxAge, add a comment after it similar to the other comments

server/src/main/kotlin/suwayomi/tachidesk/server/JavalinSetup.kt
val sessionHandler = context.sessionHandler ?: SessionHandler()
sessionHandler.sessionCookieConfig.apply {
val cookieMaxAgeMinutes: Int = serverConfig.sessionCookieMaxAgeMinutes.value
if (cookieMaxAgeMinutes > 0) maxAge = (cookieMaxAgeMinutes * 60)
Copy link
Collaborator

@Syer10 Syer10 Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (cookieMaxAgeMinutes > 0) maxAge = (cookieMaxAgeMinutes * 60)
if (cookieMaxAgeMinutes > 0) maxAge = cookieMaxAgeMinutes.minutes.inWholeSeconds.toInt()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Syer10 Syer10 Syer10 requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@WilberC @Syer10