Skip to content

FEAT: Configurable session cookie max-age (0 = session-only)#1581

Open
WilberC wants to merge 2 commits intoSuwayomi:masterfrom
WilberC:feat/configurable-session-cookie-max-age
Open

FEAT: Configurable session cookie max-age (0 = session-only)#1581
WilberC wants to merge 2 commits intoSuwayomi:masterfrom
WilberC:feat/configurable-session-cookie-max-age

Conversation

@WilberC
Copy link

@WilberC WilberC commented Aug 10, 2025

Session cookie persistence

Overview

  • server.sessionCookieMaxAgeMinutes controls the browser persistence of the JSESSIONID cookie.
  • Default is 0 → session-only cookie (no persistent Max-Age) [Currently is working like this].
  • Set to a positive number (minutes) to make the cookie persistent.

Configure

Edit your server.conf:

server.sessionCookieMaxAgeMinutes = 0
  • Keep at 0 for session-only cookies.
  • Example for 30 days persistence:
server.sessionCookieMaxAgeMinutes = 43200

Restart the server to apply changes.

What changes

  • When > 0: Jetty issues Set-Cookie: JSESSIONID; Max-Age=<minutes*60>; HttpOnly.
  • When 0: No Max-Age is set (session cookie).
  • Server-side session inactivity timeout after login remains 30 days; this setting only affects browser persistence.

Verify

  1. Set desired value in server.conf, restart.
  2. Login via WebUI.
  3. Check response headers or browser devtools:
    • With 0: Set-Cookie: JSESSIONID has no Max-Age.
    • With 5: header includes Max-Age=300.

Notes

  • Use session-only (0) for stricter security/privacy.
  • Use persistence for convenience on trusted devices/hosts.

WilberC added 2 commits August 10, 2025 04:15
@WilberC
Enhance session management in Javalin setup
ebbd8e0 
- Added configuration for Jetty session cookie handling, allowing for persistent cookies based on the new `server.sessionCookieMaxAgeMinutes` setting.
- Updated session inactivity timeout to extend from ~30 minutes to 30 days.
@WilberC
Refactor session cookie configuration in Javalin setup
81b40fe 
- Simplified Jetty session cookie handling by directly using the `sessionCookieMaxAgeMinutes` from the server configuration.
Syer10
Syer10 requested changes Aug 12, 2025
View reviewed changes
server/src/main/resources/server-reference.conf

# Sessions
# 0 = default session cookie behavior (no persistent Max-Age); >0 = persistent JSESSIONID with given max-age in minutes
server.sessionCookieMaxAgeMinutes = 0
Copy link
Collaborator

@Syer10 Syer10 Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would say put it under authentication and name it simpleAuthSessionCookieMaxAge, add a comment after it similar to the other comments

server/src/main/kotlin/suwayomi/tachidesk/server/JavalinSetup.kt
val sessionHandler = context.sessionHandler ?: SessionHandler()
sessionHandler.sessionCookieConfig.apply {
val cookieMaxAgeMinutes: Int = serverConfig.sessionCookieMaxAgeMinutes.value
if (cookieMaxAgeMinutes > 0) maxAge = (cookieMaxAgeMinutes * 60)
Copy link
Collaborator

@Syer10 Syer10 Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (cookieMaxAgeMinutes > 0) maxAge = (cookieMaxAgeMinutes * 60)
if (cookieMaxAgeMinutes > 0) maxAge = cookieMaxAgeMinutes.minutes.inWholeSeconds.toInt()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Syer10 Syer10 Syer10 requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@WilberC @Syer10

Comments