Change to enforce CacheTimeout

Previously, CacheTimeout only affected the expiration time sent to the client; the code treated cookies as valid for 30 days.
wiltonsr · Nov 26, 2024 · 5f40302 · 5f40302
1 parent ee48e9c
commit 5f40302
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/ldapauth.go b/ldapauth.go
@@ -172,6 +172,12 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		Path:     config.CacheCookiePath,
 		Secure:   config.CacheCookieSecure,
 	}
+	// This is called in sessions.NewCookieStore using the default MaxAge. If
+	// it's not called again here, our CacheTimeout would affect only the
+	// expiration time sent in the 'set-cookie' header but not the actual check
+	// of the HMACed timestamp in the cookie, so a cookie would be accepted for
+	// 30 days.
+	store.MaxAge(store.Options.MaxAge)
 
 	return &LdapAuth{
 		name:   name,