When the cookie expires, the user should be logged out and should see the login screen again.
When the cookie expires, the invalid cookie is kept in the user’s data storage for six days too long, and they have to manually delete the cookie in order to see the login screen again.
Steps to reproduce:
- Enable Auth 2.0 on a Repl.
- Authenticate on that Repl with the pop-up login window.
- Observe that the encoded REPL_AUTH cookie has set a cookie with a Unix Timestamp of approximately one day since auth happened.
- Observe that the actual Max-Age for the cookie is set to 7 days.
Bug appears at this link:
Literally any Repl with Repl Auth 2.0
Tested on Chrome and Firefox.