fix: set max-age default cookie option to 400 days#54
Conversation
|
Thanks for this, but if you look at the details of #37, this involves more than browser implementations - namely Hono throwing an error when max age is over 400 days. I don't think it's necessarily Supabase's responsibility to work around other libraries' code, and possibly poor choices, but adhering to the draft rfc mentioned on the other pr - to set this at 400 days - seems reasonable. Can someone explain the rationale so that if this stays at 5 years, we at least know why the decision was made to not follow the rf? Truly appreciate all you do 🙏; just trying to understand. |
|
The upcoming RFC for the HTTP cookie spec (6265) explicitly defines a lifetime maximum of 400 days for cookies. I'd set it to the max value as defined by the spec, But either way, thank you! |
idan
left a comment
idan
left a comment
There was a problem hiding this comment.
Made a suggested change here to track the new cookie lifetime limits in the HTTP spec
|
Also linking to https://github.com/supabase/auth-helpers/issues/441 for posterity |
hf
changed the title
max-age default cookie option to a sensible valuemax-age default cookie option to 400 days
🤖 I have created a release *beep* *boop* --- ## [0.5.1](v0.5.0...v0.5.1) (2024-08-28) ### Bug Fixes * remove optional dependencies ([#41](#41)) ([a48fe6f](a48fe6f)) * set `max-age` default cookie option to 400 days ([#54](#54)) ([f4ed2e0](f4ed2e0)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
4 participants
Some browsers didn't like the large number used by the
Max-Agedefault cookie option, causing weird behavior. It's now set to 400 days.