From 830fe7845e3d784afadb1434b5c4452ece9e0bc3 Mon Sep 17 00:00:00 2001
From: Cam Saul <cammsaul@gmail.com>
Date: Tue, 9 Apr 2019 19:21:28 -0700
Subject: [PATCH] Fix sessions expiring too soon :timer_clock:

---
 src/metabase/middleware/session.clj | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/metabase/middleware/session.clj b/src/metabase/middleware/session.clj
index 640f41499a6..b49e2f814aa 100644
--- a/src/metabase/middleware/session.clj
+++ b/src/metabase/middleware/session.clj
@@ -77,13 +77,15 @@
   (-> response
       wrap-body-if-needed
       (clear-cookie metabase-legacy-session-cookie)
+      ;; See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
       (resp/set-cookie
        metabase-session-cookie
        (str session-id)
        (merge
         {:same-site :lax
          :http-only true
-         :max-age   (config/config-int :max-session-age)}
+         ;; max-session age-is in minutes; Max-Age= directive should be in seconds
+         :max-age   (* 60 (config/config-int :max-session-age))}
         ;; If the authentication request request was made over HTTPS (hopefully always except for local dev instances)
         ;; add `Secure` attribute so the cookie is only sent over HTTPS.
         (when (https-request? request)
-- 
GitLab