keystonejs · MadeByMike · Sep 11, 2019 · Sep 10, 2019 · Sep 11, 2019 · Sep 11, 2019
diff --git a/.changeset/smooth-pumpkins-deliver/changes.json b/.changeset/smooth-pumpkins-deliver/changes.json
@@ -0,0 +1,7 @@
+{
+  "releases": [
+    { "name": "@keystone-alpha/keystone", "type": "minor" },
+    { "name": "@keystone-alpha/session", "type": "minor" }
+  ],
+  "dependents": []
+}
diff --git a/.changeset/smooth-pumpkins-deliver/changes.md b/.changeset/smooth-pumpkins-deliver/changes.md
@@ -0,0 +1,11 @@
+Adds a `cookieMaxAge` and `secureCookies` option to the keystone constructor. 
+
+These will default to 1 day and `true` in production. Or `null` and `false` in other environments.
+
+### Usage 
+```javascript
+const keystone = new Keystone({
+  cookieMaxAge: 1000 * 60 * 60 * 24 * 7, // 1 week 
+  secureCookies: true,
+});
+```
diff --git a/packages/keystone/lib/Keystone/index.js b/packages/keystone/lib/Keystone/index.js
@@ -44,6 +44,8 @@ module.exports = class Keystone {
     onConnect,
     cookieSecret = 'qwerty',
     sessionStore,
+    secureCookies = process.env.NODE_ENV === 'production', // Default to true in production
+    cookieMaxAge = process.env.NODE_ENV === 'production' ? 1000 * 60 * 60 * 24 : null,
   }) {
     this.name = name;
     this.adapterConnectOptions = adapterConnectOptions;
@@ -57,8 +59,9 @@ module.exports = class Keystone {
     this._extendedMutations = [];
     this._graphQLQuery = {};
     this._cookieSecret = cookieSecret;
+    this._secureCookies = secureCookies;
+    this._cookieMaxAge = cookieMaxAge;
     this._sessionStore = sessionStore;
-    this.registeredTypes = new Set();
     this.eventHandlers = { onConnect };
 
     if (adapters) {
@@ -544,7 +547,13 @@ module.exports = class Keystone {
       // Used by other middlewares such as authentication strategies. Important
       // to be first so the methods added to `req` are available further down
       // the request pipeline.
-      commonSessionMiddleware(this, this._cookieSecret, this._sessionStore),
+      commonSessionMiddleware({
+        keystone: this,
+        cookieSecret: this._cookieSecret,
+        sessionStore: this.sessionStore,
+        secureCookies: this._secureCookies,
+        cookieMaxAge: this._cookieMaxAge,
+      }),
       ...(await Promise.all(
         [
           // Inject any field middlewares (eg; WYSIWIG's static assets)

diff --git a/packages/session/lib/session.js b/packages/session/lib/session.js
@@ -2,7 +2,13 @@ const cookieSignature = require('cookie-signature');
 const expressSession = require('express-session');
 const cookie = require('cookie');
 
-const commonSessionMiddleware = (keystone, cookieSecret, sessionStore) => {
+const commonSessionMiddleware = ({
+  keystone,
+  cookieSecret,
+  sessionStore,
+  secureCookies,
+  cookieMaxAge,
+}) => {
   const COOKIE_NAME = 'keystone.sid';
 
   // We have at least one auth strategy
@@ -50,7 +56,9 @@ const commonSessionMiddleware = (keystone, cookieSecret, sessionStore) => {
     resave: false,
     saveUninitialized: false,
     name: COOKIE_NAME,
+    cookie: { secure: secureCookies },
     store: sessionStore,
+    maxAge: cookieMaxAge,
   });
 
   return [injectAuthCookieMiddleware, sessionMiddleware, populateAuthedItemMiddleware(keystone)];