update session cookie age

raft-tech · Jun 2, 2024 · 0e3026d · 0e3026d
1 parent 91bef41
commit 0e3026d
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/tdrs-backend/docs/session-management.md b/tdrs-backend/docs/session-management.md
@@ -11,11 +11,11 @@ When the user logs in, they will receive an HttpOnly cookie with no `Expires=` s
 SESSION_EXPIRE_AT_BROWSER_CLOSE=True
 ```
 
-The cookie itself contains a `sessionid` reference to a Django-managed session. The session expiration is set to the ~~same expiration of the login.gov-provided jwt~~, **30 minutes**.
+The cookie itself contains a `sessionid` reference to a Django-managed session. The session expiration is set to the same expiration of the login.gov-provided jwt, **15 minutes**.
 
 This is managed in `tdrs-backend/tdpservice/settings/common.py` with the following setting:
 ```python
-SESSION_COOKIE_AGE = 30 * 60  # 30 minutes
+SESSION_COOKIE_AGE = 15 * 60  # 30 minutes
 ```
 
 ### Frontend

diff --git a/tdrs-backend/tdpservice/settings/common.py b/tdrs-backend/tdpservice/settings/common.py
@@ -271,7 +271,7 @@ class Common(Configuration):
     SESSION_ENGINE = "django.contrib.sessions.backends.signed_cookies"
     SESSION_COOKIE_HTTPONLY = True
     SESSION_EXPIRE_AT_BROWSER_CLOSE = True
-    SESSION_COOKIE_AGE = 30 * 60  # 30 minutes
+    SESSION_COOKIE_AGE = 15 * 60  # 15 minutes
     # The CSRF token Cookie holds no security benefits when confined to HttpOnly.
     # Setting this to false to allow the frontend to include it in the header
     # of API POST calls to prevent false negative authorization errors.