Describe the feature
iron seal is called with
|
ttl: config.maxAge ? config.maxAge * 1000 : 0, |
Resealing the session updates the expiration to now + maxAge
The cookie however is set with
|
expires: config.maxAge ? new Date(session.createdAt + config.maxAge * 1000) : undefined, |
That means the cookies expiration is createdAt + maxAge
On h3 unseal the expiration is checked with
|
const age = Date.now() - (unsealed.createdAt || Number.NEGATIVE_INFINITY); |
|
if (age > config.maxAge * 1000) { |
|
throw new Error("Session expired!"); |
|
} |
This means the seals expiration is effectively createdAt + maxAge
If the expiration should be based on createdAt why not change the seal logic? and remove the unseal logic
This current logic makes setting an expiration based on inactivity impossible (sliding expiration)
Users logs in and gets session with maxAge of 15min. User stays active for 15min and will get locked out as both the cookie is expired and the unsealSession fails (the iron unseal goes through as the logic is different to the h3 unseal logic)
What I want is: User logs in and gets session with maxAge of 15min. Users stays active, and session gets resealed on every api call (which updates the expiration to now + maxAge). users gets inactive. If active again after 15min the cookie and the seal is expired
Additional information
Describe the feature
iron seal is called with
h3/src/utils/session.ts
Line 205 in edb53fe
Resealing the session updates the expiration to now + maxAge
The cookie however is set with
h3/src/utils/session.ts
Line 181 in edb53fe
That means the cookies expiration is createdAt + maxAge
On h3 unseal the expiration is checked with
h3/src/utils/session.ts
Lines 226 to 229 in edb53fe
This means the seals expiration is effectively createdAt + maxAge
If the expiration should be based on createdAt why not change the seal logic? and remove the unseal logic
This current logic makes setting an expiration based on inactivity impossible (sliding expiration)
Users logs in and gets session with maxAge of 15min. User stays active for 15min and will get locked out as both the cookie is expired and the unsealSession fails (the iron unseal goes through as the logic is different to the h3 unseal logic)
What I want is: User logs in and gets session with maxAge of 15min. Users stays active, and session gets resealed on every api call (which updates the expiration to now + maxAge). users gets inactive. If active again after 15min the cookie and the seal is expired
Additional information