GET request to /api/auth/session would also update expiry time for session cookie

[kopach]

Goals

I would like to have an option to have session expired after some time, no mater whether the app is actively used or not.
Currently, setting session.maxAge would only reset session on user IDLE

Non-Goals

No response

Background

I would like my app asks user to log-in from time to time no matter IDLE time. This is due to security reason. If cookie got stolen - we want to prevent a potential attacker of having such cookie for unlimited time (especially if user is not aware of incident and can't force logout all devices)

Same does e.g. GitHub when used with Enterprise SSO

Proposal

Additional config to SessionProvider, which would make every session check just a check and not check + extend session
This way maxAge will also be "hard" maxAge and not "soft"

What I've done so far - was just patching next-auth dependency (under node_modules) to do not set cookies on sessin request at all

[kopach]

I've realized this is actually a security issue not just a handy feature, so reported it here (with temporary workaround provided) https://github.com/nextauthjs/next-auth/security/advisories/GHSA-vf9v-mgp4-p9wm#advisory-comment-92075