fix: cookie maxAge should be in seconds #776
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'm pro rfc-adherence. The only pushback I can possibly see is that the Proposed Standard rfc 6265 does not define a limit; only this new draft does. It may have been unwise for Hono to have a hard failure for this; but at the same time, 365 days, or 400, seems reasonable and easily changeable by Supabase. If anyone logs into a website, then closes the browser and waits a year to go back to that site, it's reasonable to expect them to log in again. |
|
@j4w8n fyi, Chrome, Safari, and Firefox have all agreed on this limit and at least Chrome has shipped this limit in v104. Nonetheless, I do agree that Hono shouldn't be forcing this onto its users and have thus opened an issue there too. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Bug fix
What is the current behavior?
Cookie maxAge is currently being set to 1000 years, since maxAge is specified in seconds, not milliseconds.
What is the new behavior?
Cookie maxAge is 365 days (1 year), below the maxAge limit of 400 days (https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-13#section-4.1.2.2)
Additional context
Sorry for creating #765 again, but I don't think it's being monitored anymore now that it is closed.
As detailed in the earlier PR, this is seriously affecting usability for us with Hono, as it's currently requiring me to re-patch
@supabase/ssrevery time a new update to the package is released.