set cookie timeout for security

alphagov · Apr 4, 2017 · edbd8c7 · edbd8c7
1 parent 330b421
commit edbd8c7
Showing 1 changed file with 14 additions and 7 deletions.
diff --git a/server.js b/server.js
@@ -97,13 +97,6 @@ app.use(bodyParser.urlencoded({
   extended: true
 }))
 
-// Support session data
-app.use(session({
-  resave: false,
-  saveUninitialized: false,
-  secret: Math.round(Math.random() * 100000).toString()
-}))
-
 // Add variables that are available in all views
 app.locals.analyticsId = analyticsId
 app.locals.asset_path = '/public/'
@@ -113,11 +106,25 @@ app.locals.promoMode = promoMode
 app.locals.releaseVersion = 'v' + releaseVersion
 app.locals.serviceName = config.serviceName
 
+var secure = false
+
 // Force HTTPs on production connections
 if (env === 'production' && useHttps === 'true') {
   app.use(utils.forceHttps)
+  secure = true
 }
 
+// Support session data
+app.use(session({
+  cookie: {
+    secure: secure,
+    maxAge: 1000 * 60 * 60 * 4 // 4 hours
+  },
+  resave: false,
+  saveUninitialized: false,
+  secret: Math.round(Math.random() * 100000).toString()
+}))
+
 // add nunjucks function called 'checked' to populate radios and checkboxes,
 // needs to be here as it needs access to req.session and nunjucks environment
 var addCheckedFunction = function (app, nunjucksEnv) {