This is an automated email from the ASF dual-hosted git repository.

wu-sheng pushed a commit to branch fix/session-sliding-cookie
in repository https://gitbox.apache.org/repos/asf/skywalking-horizon-ui.git

commit c677eb8a30240a9f79419c4274035ed12949be38
Author: Wu Sheng <[email protected]>
AuthorDate: Thu May 28 20:37:02 2026 +0800

    fix(auth): slide the session cookie maxAge on each request
    
    The server slides a session's TTL on every authenticated request
    (`sessions.touch()`), but the cookie's maxAge was stamped only at
    login. So an actively-used session kept sliding server-side while the
    browser cookie still expired at login + ttl — the user was silently
    logged out mid-session. requireAuth now re-stamps the cookie (same
    options as login, only maxAge refreshed) after a successful touch, so
    the browser expiry tracks the sliding server TTL.
---
 apps/bff/src/user/middleware.ts | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/apps/bff/src/user/middleware.ts b/apps/bff/src/user/middleware.ts
index bc7a589..9a7d616 100644
--- a/apps/bff/src/user/middleware.ts
+++ b/apps/bff/src/user/middleware.ts
@@ -60,6 +60,20 @@ export function requireAuth(deps: AuthDeps) {
       return void reply.code(401).send({ error: 'unauthenticated' });
     }
     req.session = session;
+    // Sliding session: touch() just slid the server-side TTL, so
+    // re-stamp the cookie's maxAge to match. The cookie's expiry was
+    // set only at login, so without this an actively-used session still
+    // expires in the browser at login + ttl while the server believes
+    // it's alive — the user is logged out mid-session. Mirror the login
+    // cookie options exactly so only maxAge slides.
+    const s = deps.config.current.session;
+    reply.setCookie(s.cookieName, sid, {
+      httpOnly: true,
+      sameSite: 'strict',
+      secure: s.cookieSecure,
+      path: '/',
+      maxAge: s.ttlMinutes * 60,
+    });
   };
 }
 

Reply via email to