Problem description:
This has only been tested in a React-based Javascript Web App. I have enabled Repl Auth and used the built-in Repl Auth page rather than implementing it directly into the code. When the REPL_AUTH cookie is initially set, the value is a basic base64 value with a Unix timestamp coding for what appears to be a 1-day expiration time. However, the actual expiration date is set to one week on the browser.
Expected behavior:
When the cookie expires, the user should be logged out and should see the login screen again.
Actual behavior:
When the cookie expires, the invalid cookie is kept in the user’s data storage for six days too long, and they have to manually delete the cookie in order to see the login screen again.
Steps to reproduce:
- Enable Auth 2.0 on a Repl.
- Authenticate on that Repl with the pop-up login window.
- Observe that the encoded REPL_AUTH cookie has set a cookie with a Unix Timestamp of approximately one day since auth happened.
- Observe that the actual Max-Age for the cookie is set to 7 days.
Bug appears at this link:
Literally any Repl with Repl Auth 2.0
Browser/OS/Device:
Tested on Chrome and Firefox.