This is an automated email from the ASF dual-hosted git repository. wu-sheng pushed a commit to branch fix/session-sliding-cookie in repository https://gitbox.apache.org/repos/asf/skywalking-horizon-ui.git
commit c677eb8a30240a9f79419c4274035ed12949be38 Author: Wu Sheng <[email protected]> AuthorDate: Thu May 28 20:37:02 2026 +0800 fix(auth): slide the session cookie maxAge on each request The server slides a session's TTL on every authenticated request (`sessions.touch()`), but the cookie's maxAge was stamped only at login. So an actively-used session kept sliding server-side while the browser cookie still expired at login + ttl — the user was silently logged out mid-session. requireAuth now re-stamps the cookie (same options as login, only maxAge refreshed) after a successful touch, so the browser expiry tracks the sliding server TTL. --- apps/bff/src/user/middleware.ts | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/apps/bff/src/user/middleware.ts b/apps/bff/src/user/middleware.ts index bc7a589..9a7d616 100644 --- a/apps/bff/src/user/middleware.ts +++ b/apps/bff/src/user/middleware.ts @@ -60,6 +60,20 @@ export function requireAuth(deps: AuthDeps) { return void reply.code(401).send({ error: 'unauthenticated' }); } req.session = session; + // Sliding session: touch() just slid the server-side TTL, so + // re-stamp the cookie's maxAge to match. The cookie's expiry was + // set only at login, so without this an actively-used session still + // expires in the browser at login + ttl while the server believes + // it's alive — the user is logged out mid-session. Mirror the login + // cookie options exactly so only maxAge slides. + const s = deps.config.current.session; + reply.setCookie(s.cookieName, sid, { + httpOnly: true, + sameSite: 'strict', + secure: s.cookieSecure, + path: '/', + maxAge: s.ttlMinutes * 60, + }); }; }
