sessions: use client-relative session expiration
This is my proposal to fix turris/os/packages#779 (closed).
Unfortunately, I don't have permission to fork the repository and open a merge request, so I'm attaching my patch to the description of this issue.
From dd8782666475300240f684c9825564266e8bbb0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A1szl=C3=B3=20V=C3=A1rady?=
<laszlo.varady@protonmail.com>
Date: Sun, 3 Apr 2022 21:06:57 +0200
Subject: [PATCH] sessions: use client-relative session expiration
This commit replaces the server-time based `expires` attribute with
`max_age`, which is a timedelta relative to the client.
This fixes an issue in the reForis guide, where initial router setup was
not possible due to the device's clock being out of sync with the client's.
`expires` has not been removed in order to be compatible with older
browsers. Max-Age has precedence over Expires:
https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2.2
Fixes turris/os/packages#779
---
reforis/sessions/sessions.py | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/reforis/sessions/sessions.py b/reforis/sessions/sessions.py
index 25e85309..9af27956 100644
--- a/reforis/sessions/sessions.py
+++ b/reforis/sessions/sessions.py
@@ -111,7 +111,12 @@ class FileSystemSessionInterface(SessionInterface):
httponly = self.get_cookie_httponly(app)
secure = self.get_cookie_secure(app)
+
expires = self.get_expiration_time(app, session)
+ max_age = None
+ if session.permanent:
+ max_age = app.permanent_session_lifetime
+
samesite = self.get_cookie_samesite(app)
data = dict(session)
@@ -122,6 +127,6 @@ class FileSystemSessionInterface(SessionInterface):
else:
session_id = session.sid
response.set_cookie(app.session_cookie_name, session_id,
- expires=expires, httponly=httponly,
- domain=domain, path=path, secure=secure,
- samesite=samesite)
+ max_age=max_age, expires=expires,
+ httponly=httponly, domain=domain, path=path,
+ secure=secure, samesite=samesite)
--
2.35.1