Skip to content

Commit

Permalink
update cookie expiration limit
Browse files Browse the repository at this point in the history
  • Loading branch information
pilcrowonpaper committed Sep 21, 2024
1 parent daf946b commit e811b76
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion pages/sessions.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ Session cookies should have the following attributes:

[CSRF protection](/csrf) must be implemented when using cookies, and using the `SameSite` flag is not sufficient. Using cookies does not automatically protect your users from cross-site scripting attacks (XSS) as well. While the session ID can't be read directly, authenticated requests can still be made as browsers automatically include cookies in requests.

The maximum expiration for a cookie is anywhere between 1 and 2 years. If you plan for the session to be long-lived, continuously set the cookie on a set interval (e.g. when you extend the session expiration).
The maximum expiration for a cookie is 400 days. If you plan for the session to be long-lived, continuously set the cookie.

`Lax` should be preferred over `Strict` for the `SameSite` attribute as using `Strict` will cause the browser to not send the session cookie when the user visits your application via an external link.

Expand Down

0 comments on commit e811b76

Please sign in to comment.