Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Encode auth token expiry in cookie max age
Cookies without a max age (or expiry date) become session cookies, which means they are cleared when the browser is closed. Most browsers, however, support session restore, which is where sessions are not cleared on browser close, appearing 'restored' when the browser is opened again. For browsers which do not support session restore, particularly mobile Firefox and Chrome, users get logged out every time they close their browser - which is not a pleasant experience. Setting the max age of cookies the same as the expiry date on the auth token makes them persistent until the specified date, so users will only be logged out when their token expires (as intended).
- Loading branch information