Cookie expiration issue


#1

Hello,
I’m using Silhouette seed project (https://github.com/mohiva/play-silhouette-seed) with few modifications.
I’m using default cookie authenticator and I want to have long expiration period - one year.
I’ve setup values in .conf file and I can validate that the cookie returned has expiration date one year from now.
But in reality the cookie will stop being accepted much sooner, maybe after one month.
So there is something in its content that validates it duration as well, right?
Can you please help me set-it-up correctly?

These are my current values in silhouette.conf file:

  # Authenticator settings
  authenticator.cookieName="authenticator_group_dial"
  authenticator.cookiePath="/"
  authenticator.secureCookie=false // Disabled for testing on localhost without SSL, otherwise cookie couldn't be set
  authenticator.httpOnlyCookie=true
  authenticator.useFingerprinting=true
  authenticator.authenticatorIdleTimeout=365 days
  authenticator.authenticatorExpiry=365 days

  authenticator.rememberMe.cookieMaxAge=365 days
  authenticator.rememberMe.authenticatorIdleTimeout=365 days
  authenticator.rememberMe.authenticatorExpiry=365 days

  authenticator.cookieMaxAge=365 days

  # OAuth1 token secret provider settings
  oauth1TokenSecretProvider.cookieName="OAuth1TokenSecret"
  oauth1TokenSecretProvider.cookiePath="/"
  oauth1TokenSecretProvider.secureCookie=false // Disabled for testing on localhost without SSL, otherwise cookie couldn't be set
  oauth1TokenSecretProvider.httpOnlyCookie=true
  oauth1TokenSecretProvider.expirationTime=5 minutes


  # OAuth2 state provider settings
  oauth2StateProvider.cookieName="OAuth2State"
  oauth2StateProvider.cookiePath="/"
  oauth2StateProvider.secureCookie=false // Disabled for testing on localhost without SSL, otherwise cookie couldn't be set
  oauth2StateProvider.httpOnlyCookie=true
  oauth2StateProvider.expirationTime=5 minutes

EDIT: now I’m thinking, could it be the useFingerprinting=true? If I use different PC to login, then my old cookie wont work anymore?


#2

Hi,

Yes, this could be an issue. The fingerprint generator creates a fingerprint of your browser. So if you come with another browser, then it’s not valid.

Best regards,
Christian