From 9d4ec511cded82c0d4e4e1b46c532cb31ee2b738 Mon Sep 17 00:00:00 2001
From: clopen-set <33433326+clopen-set@users.noreply.github.com>
Date: Fri, 29 May 2026 00:37:51 -0400
Subject: [PATCH] fix(ios): set max-age on session cookie so it survives cold
 reopen

Without max-age the cookie is session-scoped and WKWebView drops it
when the app process is killed, falling through to biometric recovery
on every cold reopen. 1209600 = 2 weeks, matches Django's
SESSION_COOKIE_AGE default.
---
 apps/web/src/runtime/native-auth.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/apps/web/src/runtime/native-auth.ts b/apps/web/src/runtime/native-auth.ts
index 3ffb1216bdf..7356bc01e9d 100644
--- a/apps/web/src/runtime/native-auth.ts
+++ b/apps/web/src/runtime/native-auth.ts
@@ -180,7 +180,10 @@ export async function waitForNativeSessionCookie(): Promise<void> {
  * same code works across environments without runtime host sniffing.
  */
 export function installSessionCookies(sessionToken: string): void {
-  const cookieAttrs = "path=/; domain=.vellum.ai; secure; samesite=lax";
+  // `max-age` makes the cookie persistent. If unspecified, the cookie
+  // expires at the end of the session, and users will be required to
+  // login again.
+  const cookieAttrs = "path=/; domain=.vellum.ai; secure; samesite=lax; max-age=1209600";
   document.cookie = `sessionid=${sessionToken}; ${cookieAttrs}`;
   document.cookie = `__Secure-sessionid=${sessionToken}; ${cookieAttrs}`;
 }