Skip to content

fix(auth): add Max-Age and __Host- prefix to session cookie#281

Open
jaredglaser wants to merge 1 commit into
claude/playwright-ci-lfyzhxfrom
fix/f22-session-cookie-attrs
Open

fix(auth): add Max-Age and __Host- prefix to session cookie#281
jaredglaser wants to merge 1 commit into
claude/playwright-ci-lfyzhxfrom
fix/f22-session-cookie-attrs

Conversation

@jaredglaser

@jaredglaser jaredglaser commented Jun 12, 2026

Copy link
Copy Markdown
Owner

Summary

  • The session cookie was a browser-session cookie with no Max-Age, so it expired with the browser while the DB session stayed valid for SESSION_TTL_HOURS. It also lacked the __Host- prefix on https deployments.
  • New shared module src/lib/auth/session-cookie.ts owns the cookie name, build, clear, and parse logic. buildSessionCookie now sets Max-Age from SESSION_TTL_HOURS (hours * 3600).
  • A deployment uses exactly one cookie name, keyed on isSecure: https issues __Host-session (browser enforces Secure, Path=/, no Domain), http (local dev) keeps session since browsers reject the prefix without Secure.
  • All read sites (auth middleware, session read middleware in auth.functions.tsx, SSE auth, logout) resolve the active name from isSecure and read only that name. Middleware and SSE auth derive isSecure from OIDC_REDIRECT_URI via the new isSecureCookie() helper; logout reuses the isSecure it already derives from config. On https a plain session cookie is ignored, so a cookie planted under the plain name cannot fixate a session past the __Host- guard.
  • CallbackHandlerDeps gains sessionTtlHours, wired from loadAuthConfig() in callbackGetHandler.

There is no dual-name migration support: there are no pre-existing sessions to migrate, so the cookie is never read or cleared under two names at once.

Testing

  • bun run typecheck passes.
  • Co-located test file src/lib/auth/__tests__/session-cookie.test.ts covers name selection, Max-Age, Secure/__Host- attributes, single-name clearing, and parse precedence/decoding edge cases (including that the plain name is ignored on https and the __Host- name is ignored on http).
  • Callback, logout, SSE auth, auth middleware, and auth.functions tests updated for the new deps shape and single-name reads. Note: Happy-DOM hides Set-Cookie on Response objects, so attribute assertions live in the helper tests, matching the existing test pattern.

Closes #247

🤖 Generated with Claude Code

@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@jaredglaser, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 40 minutes and 23 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 780095ae-fbf9-47f2-bf2c-1d24f2bbc614

📥 Commits

Reviewing files that changed from the base of the PR and between 4a195a4 and de2d368.

⛔ Files ignored due to path filters (1)
  • bun.lock is excluded by !**/*.lock
📒 Files selected for processing (45)
  • .github/workflows/ci.yml
  • .gitignore
  • CLAUDE.md
  • bunfig.toml
  • docs/development.md
  • docs/playwright-test-plan.md
  • e2e/demo.demo.spec.ts
  • e2e/fixtures.ts
  • e2e/smoke.spec.ts
  • package.json
  • playwright.config.ts
  • public/mockServiceWorker.js
  • scripts/serve-static.ts
  • src/client.tsx
  • src/components/AppShell.tsx
  • src/data/__tests__/auth.functions.auth-enabled.test.ts
  • src/data/auth.functions.tsx
  • src/lib/auth/__tests__/callback-handler.test.ts
  • src/lib/auth/__tests__/logout-handler.test.ts
  • src/lib/auth/__tests__/session-cookie.test.ts
  • src/lib/auth/__tests__/sse-auth.test.ts
  • src/lib/auth/callback-handler.ts
  • src/lib/auth/logout-handler.ts
  • src/lib/auth/session-cookie.ts
  • src/lib/auth/sse-auth.ts
  • src/lib/config/auth-config.ts
  • src/lib/constants/mock.ts
  • src/lib/mock/__tests__/mock-event-source.test.ts
  • src/lib/mock/browser.ts
  • src/lib/mock/functions/git-tokens.functions.ts
  • src/lib/mock/functions/hosts.functions.ts
  • src/lib/mock/handlers/__tests__/function-id.test.ts
  • src/lib/mock/handlers/__tests__/server-functions.test.ts
  • src/lib/mock/handlers/__tests__/sse-stream.test.ts
  • src/lib/mock/handlers/function-id.ts
  • src/lib/mock/handlers/index.ts
  • src/lib/mock/handlers/server-functions.ts
  • src/lib/mock/handlers/sse-stream.ts
  • src/lib/mock/handlers/sse.ts
  • src/lib/mock/install-demo.ts
  • src/lib/mock/mock-event-source.ts
  • src/lib/mock/start.ts
  • src/middleware/auth-middleware.ts
  • src/routes/__root.tsx
  • vite.config.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/f22-session-cookie-attrs

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Single-name session cookie keyed on isSecure (derived from OIDC_REDIRECT_URI):
https issues __Host-session + Secure, http issues the plain session name.
Max-Age mirrors the DB session TTL. No dual-name migration support.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01JyRSkAfm3xbEYoW8QF2N9n
@jaredglaser jaredglaser force-pushed the fix/f22-session-cookie-attrs branch from 72342be to de2d368 Compare June 21, 2026 22:33
@jaredglaser jaredglaser changed the base branch from main to claude/playwright-ci-lfyzhx June 21, 2026 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Session cookie: add Max-Age and __Host- prefix

2 participants