What is the purpose of max_age propertie in cookie component ?

[anayrat]

Hello,
I implement authentication with :

-- The authentication component will stop the execution of the page and redirect the user to the login page if
-- the password is incorrect or if the user does not exist. 
SELECT 'authentication' AS component,
    'signin.sql?error' AS link,
    (SELECT password_hash FROM user_info WHERE username = :username) AS password_hash,
    :password AS password;
    
-- Generate a random 32 characters session ID, insert it into the database,
-- and save it in a cookie on the user's browser.
INSERT INTO login_session (id, username)
VALUES (sqlpage.random_string(32), :username)
RETURNING 
    'cookie' AS component,
    'session' AS name,
    id AS value,
    3600::int AS max_age, -- expire after one hour
    FALSE AS secure; -- You can remove this if the site is served over HTTPS.

-- Redirect the user to the protected page.
SELECT 'redirect' AS component, 'admin.sql' AS link;

But I can see my user is still logged after one hour.

I've seen in the example we can check session age with :

https://github.com/lovasoa/SQLpage/blob/9c47ec94cc909029853391a5c5d7b297530a18ef/examples/CRUD%20-%20Authentication/www/login.sql#L3-L8

I will change according to this example, but I wonder why max_age seems ignored ?
Thanks

[lovasoa]

can you check the created cookie in your browser's developer tools? Do you see the max-age property, and the browser still doesn't respect it?

[lovasoa]

I don't understand this. Can you paste the http header and a screenshot from your browser developer tools storage panel with the cookie?

[anayrat]

Here are response header :

HTTP/1.1 302 Found
content-length: 0
set-cookie: session=stFQ86rHXM3WaR6NLzw3N17pEYVx5Cae; HttpOnly; SameSite=Strict; Path=/
location: admin.sql
content-security-policy: script-src 'self' https://cdn.jsdelivr.net
content-type: text/html; charset=utf-8
server: sqlpage v0.24.0
date: Fri, 12 Jul 2024 19:53:46 GMT

[lovasoa]

That's a bug ! Thanks for reporting it !

I opened #501 to track this

[lovasoa]

In the meantime, you can use exprires, which should work as expected.

[lovasoa]

Just fixed the issue. This will be in 0.25.

The builds are being deployed to docker hub.