Cookie with expiryDate gets deleted once session ends
Hello,
I have some weird behavior I'm not sure I understand. So now the backend sends a set-cookie called refreshToken with the login, and it's working just fine as it does what it's meant to do.
but the issue is that the cookie is removed every time a session ends. Even though it has an expiry of 3 months and I can see it correctly.
What is it that I'm missing?
context that might help: The backend is served on a different domain than the frontend.
26 Replies
what time is the cookie set to?
by the way, is it in incognito?
oh, that's a session cookie
that's normal
how are you setting the cookie?
by time you mean the expiryDate?
no reguar tab, also same behavior on all browsers
yes, but i saw it is indeed 3 months into the future
yeah exactly, which is very odd 😅
not at all
you're setting a session cookie
the expiration date is more a formality
I'm not sure I follow
so the cookie string itself is making it a session cookie?
no
the cookie is a session cookie
it's a cookie that's gone when the browser is closed
but what's the point of setting the expiry date?
you didn't show how you're setting the cookie, so, can't answer that
which framework are you using?
I'm not the backend developer, but we're using Express.js
npm
jsonwebtoken
JSON Web Token implementation (symmetric and asymmetric). Latest version: 9.0.2, last published: a year ago. Start using jsonwebtoken in your project by running
npm i jsonwebtoken. There are 32277 other projects in the npm registry using jsonwebtoken.this is the jwt package he is using
expressjs documentation is absolute ass
this is what's important
everything else is inconsequential
ok, do you have any idea what's wrong in that part?
Express 5.x - API Reference
Access the API reference for Express.js 5.x, detailing all modules, methods, and properties for building web applications with this latest version.
this should let you pick if it is or isnt a session cookie
AHA!!!!
i found the problem
it's possible that by using
maxAge, the session flag isn't removed
try using this instead
important: by using the date, you need to multiply everything by 1000 because js uses microseconds instead of millisecondsdone, changed it to expires with a Date.
now I have opened and closed a couple sessions on different browsers, and it didn't get removed yet 🙉
I will keep testing it, and hope it's fixed now.
Thank you!
you're welcome
seems like a bug in express js
you can check it by just seeing if it has the
session flag set
if it doesn't, it's a bug
if it does, it's also a bug