Change to enforce CacheTimeout

Previously, CacheTimeout only affected the expiration time sent to the client; the code treated cookies as valid for 30 days.
wiltonsr · Nov 26, 2024 · 759ae1a · 759ae1a
1 parent 9d6124c
commit 759ae1a
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/ldapauth.go b/ldapauth.go
@@ -172,6 +172,12 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		Path:     config.CacheCookiePath,
 		Secure:   config.CacheCookieSecure,
 	}
+	// This is called within the constructor using the default MaxAge. If it's
+	// not called again here, our CacheTimeout would affect only the expiration
+	// time sent in the 'set-cookie' header but not the actual check of the
+	// HMACed timestamp in the cookie, so a cookie would be accepted for 30
+	// days.
+	store.MaxAge(store.Options.MaxAge)
 
 	return &LdapAuth{
 		name:   name,