From 15a5c5ac3ea7529b53c4c59d10560605f8866c38 Mon Sep 17 00:00:00 2001 From: Max Countryman Date: Sat, 27 Jan 2024 08:17:05 -0800 Subject: [PATCH 1/2] ensure expires session Here we manually check the configured session expiry to ensure that we account for `Expires: Session`. This follows the Django implementation. See: https://github.com/django/django/blob/9c6d7b4a678b7bbc6a1a14420f686162ba9016f5/django/contrib/sessions/middleware.py#L48-L49 --- src/service.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/service.rs b/src/service.rs index cc8e62d..6039292 100644 --- a/src/service.rs +++ b/src/service.rs @@ -37,7 +37,9 @@ impl SessionConfig { .secure(self.secure) .path(self.path.clone()); - cookie_builder = cookie_builder.max_age(expiry_age); + if !matches!(self.expiry, Some(Expiry::OnSessionEnd) | None) { + cookie_builder = cookie_builder.max_age(expiry_age); + } if let Some(domain) = &self.domain { cookie_builder = cookie_builder.domain(domain.clone()); From a0e72261dd4ab8f00376a8c4995f724615742631 Mon Sep 17 00:00:00 2001 From: Max Countryman Date: Sat, 27 Jan 2024 08:53:49 -0800 Subject: [PATCH 2/2] update test case --- tests/common/mod.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/common/mod.rs b/tests/common/mod.rs index 65877f8..00b15e9 100644 --- a/tests/common/mod.rs +++ b/tests/common/mod.rs @@ -179,9 +179,7 @@ macro_rules! route_tests { assert_eq!(session_cookie.name(), "id"); assert_eq!(session_cookie.http_only(), Some(true)); assert_eq!(session_cookie.same_site(), Some(SameSite::Strict)); - assert!(session_cookie - .max_age() - .is_some_and(|d| d <= Duration::weeks(2))); + assert!(session_cookie.max_age().is_none()); assert_eq!(session_cookie.secure(), Some(true)); assert_eq!(session_cookie.path(), Some("/")); }