ensure expires session

Here we manually check the configured session expiry to ensure that we account for `Expires: Session`. This follows the Django implementation. See: https://github.com/django/django/blob/9c6d7b4a678b7bbc6a1a14420f686162ba9016f5/django/contrib/sessions/middleware.py#L48-L49
maxcountryman · Jan 27, 2024 · d08b87b · d08b87b
1 parent c3cd956
commit d08b87b
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/src/service.rs b/src/service.rs
@@ -30,14 +30,16 @@ struct SessionConfig {
 }
 
 impl SessionConfig {
-    fn build_cookie<'c>(&self, session_id: session::Id, expiry_age: Duration) -> Cookie<'c> {
+    fn build_cookie<'c>(&self, session_id: session::Id, max_age: Option<Duration>) -> Cookie<'c> {
         let mut cookie_builder = Cookie::build((self.name.clone(), session_id.to_string()))
             .http_only(self.http_only)
             .same_site(self.same_site)
             .secure(self.secure)
             .path(self.path.clone());
 
-        cookie_builder = cookie_builder.max_age(expiry_age);
+        if let Some(max_age) = max_age {
+            cookie_builder = cookie_builder.max_age(max_age);
+        }
 
         if let Some(domain) = &self.domain {
             cookie_builder = cookie_builder.domain(domain.clone());
@@ -169,8 +171,12 @@ where
                             return Ok(res);
                         };
 
-                        let expiry_age = session.expiry_age();
-                        let session_cookie = session_config.build_cookie(session_id, expiry_age);
+                        let max_age = match session.expiry() {
+                            Some(Expiry::OnSessionEnd) | None => None,
+                            _ => Some(session.expiry_age()),
+                        };
+
+                        let session_cookie = session_config.build_cookie(session_id, max_age);
 
                         tracing::debug!("adding session cookie");
                         cookies.add(session_cookie);