Repl Auth 2.0 sets cookie with incorrect expiration date

Support Bug Reports
1

Problem description:
This has only been tested in a React-based Javascript Web App. I have enabled Repl Auth and used the built-in Repl Auth page rather than implementing it directly into the code. When the REPL_AUTH cookie is initially set, the value is a basic base64 value with a Unix timestamp coding for what appears to be a 1-day expiration time. However, the actual expiration date is set to one week on the browser.

Expected behavior:
When the cookie expires, the user should be logged out and should see the login screen again.

Actual behavior:
When the cookie expires, the invalid cookie is kept in the user’s data storage for six days too long, and they have to manually delete the cookie in order to see the login screen again.

Steps to reproduce:

  1. Enable Auth 2.0 on a Repl.
  2. Authenticate on that Repl with the pop-up login window.
  3. Observe that the encoded REPL_AUTH cookie has set a cookie with a Unix Timestamp of approximately one day since auth happened.
  4. Observe that the actual Max-Age for the cookie is set to 7 days.

Bug appears at this link:
Literally any Repl with Repl Auth 2.0

Browser/OS/Device:
Tested on Chrome and Firefox.

5 Likes
3

Is the value or expiration date set to the unix timestamp?

I remember REPL_AUTH cookies are a JWT

3 Likes
5

The only place I’ve seen a unix timestamp is in the encoded cookie that’s actually saved. As far as I can tell, the browser doesn’t use that timestamp to set the expiration date.

It’s basically just encoded JSON plus what I assume to be random data at the end. Example data:
{"alg":"ES256","typ":"JWT"}{"name":"Dylithian","sub":"5651881","bio":"","profile_image":"","url":"https://replit.com/@Dylithian","roles":"","teams":"","iat":1681632923,"host":"doesnotexist.dylithian.repl.co","exp":1681719323}

The above is the JSON portion and the remaining data appears to just be a random number that gets encoded as well.

1 Like
6

I am running into this issue too, not sure how to resolve it

7

I have also run into the same issue. I am not asked to log back into Replit after just one day, but accessing user data using the REPL_AUTH cookie becomes invalid after one day. Were you able to work around this somehow?