You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Make PKCE and State cookies not dependent on client clock accuracy.
Non-Goals
No response
Background
This is related to issue #4660, where a max-age setting was made available for the PKCE and State cookies (thank you for adding that). However, the expiration set on the cookie is based on the server clock while the cookie's lifespan is based on the client's PC clock. I've run into issues with users unable to log in because their clock is too far off from the server to be able to ever complete the auth workflow. The only workaround would be to increase the cookie max age to significantly higher, which is less secure and game of "guess how far off your users' clocks are".
By changing the expiration on the cookies over to use the "max-age" cookie property instead of the "expires", it will correctly allow the lifespan of the cookie to exist on the client for the desired amount of time and would simplify the code (no need to calculating date).
I did not dig into the possibility of other similar cookies, but if there's others being handled similarly, it would be good to consider those as well.
Proposal
Change the PKCE and State cookies to use the "max-age" cookie property instead of "expires" to handle lifespan duration.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Goals
Non-Goals
No response
Background
This is related to issue #4660, where a max-age setting was made available for the PKCE and State cookies (thank you for adding that). However, the expiration set on the cookie is based on the server clock while the cookie's lifespan is based on the client's PC clock. I've run into issues with users unable to log in because their clock is too far off from the server to be able to ever complete the auth workflow. The only workaround would be to increase the cookie max age to significantly higher, which is less secure and game of "guess how far off your users' clocks are".
By changing the expiration on the cookies over to use the "max-age" cookie property instead of the "expires", it will correctly allow the lifespan of the cookie to exist on the client for the desired amount of time and would simplify the code (no need to calculating date).
I did not dig into the possibility of other similar cookies, but if there's others being handled similarly, it would be good to consider those as well.
Proposal
Change the PKCE and State cookies to use the "max-age" cookie property instead of "expires" to handle lifespan duration.
Beta Was this translation helpful? Give feedback.
All reactions