[ATL-763] [LUM-1951] fix(ios): set max-age on session cookie so it survives cold reopen #32529
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -180,7 +180,10 @@ export async function waitForNativeSessionCookie(): Promise<void> { | |
| * same code works across environments without runtime host sniffing. | ||
| */ | ||
| export function installSessionCookies(sessionToken: string): void { | ||
| // `max-age` makes the cookie persistent. If unspecified, the cookie | ||
| // expires at the end of the session, and users will be required to | ||
| // login again. | ||
| const cookieAttrs = "path=/; domain=.vellum.ai; secure; samesite=lax; max-age=1209600"; | ||
|
Collaborator
Author
There was a problem hiding this comment. I don't like that we're manually reinstalling cookies. Why not just use As is, this requires us to keep all of these attributes in sync with the actual cookie, but we're not doing properly right now:
Collaborator
Author
There was a problem hiding this comment. cc @noanflaherty in case this has implications for electron |
||
| document.cookie = `sessionid=${sessionToken}; ${cookieAttrs}`; | ||
| document.cookie = `__Secure-sessionid=${sessionToken}; ${cookieAttrs}`; | ||
|
Comment on lines
187
to
188
Collaborator
Author
There was a problem hiding this comment. We should only set one of these cookies, not both. Public SPA is served over HTTPS and should use the |
||
| } | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes the JS-installed native session cookie survive cold restarts, but the web logout path only calls
allauthLogout()best-effort and then clears local state infinally(apps/web/src/stores/auth-store.ts:243-251), even if the DELETE fails/returns non-ok and therefore no serverSet-Cookieexpiry is applied. In that offline/server-error scenario an iOS user appears signed out and is redirected to login, but after reopening the app the now-persistent valid cookie logs them back in; either explicitly expire these cookie names during logout cleanup or avoid persisting them without a matching client-side clear path.Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor edge case that I'm not gonna address here