From 5f403025c5bbbee7022870094a6658fe1b0c42c2 Mon Sep 17 00:00:00 2001
From: Renee Margaret McConahy <nepella@gmail.com>
Date: Tue, 26 Nov 2024 02:18:35 -0500
Subject: [PATCH] Change to enforce CacheTimeout

Previously, CacheTimeout only affected the expiration time sent to the
client; the code treated cookies as valid for 30 days.
---
 ldapauth.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ldapauth.go b/ldapauth.go
index c1c54df..8bd6c92 100644
--- a/ldapauth.go
+++ b/ldapauth.go
@@ -172,6 +172,12 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		Path:     config.CacheCookiePath,
 		Secure:   config.CacheCookieSecure,
 	}
+	// This is called in sessions.NewCookieStore using the default MaxAge. If
+	// it's not called again here, our CacheTimeout would affect only the
+	// expiration time sent in the 'set-cookie' header but not the actual check
+	// of the HMACed timestamp in the cookie, so a cookie would be accepted for
+	// 30 days.
+	store.MaxAge(store.Options.MaxAge)
 
 	return &LdapAuth{
 		name:   name,