From edbd8c7c62a473b42f8fe825461250ef3bc75e0c Mon Sep 17 00:00:00 2001
From: Joe Lanman <joelanman@gmail.com>
Date: Tue, 4 Apr 2017 14:33:04 +0100
Subject: [PATCH] set cookie timeout for security

---
 server.js | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/server.js b/server.js
index 7a58cee15b..fbc2883d05 100644
--- a/server.js
+++ b/server.js
@@ -97,13 +97,6 @@ app.use(bodyParser.urlencoded({
   extended: true
 }))
 
-// Support session data
-app.use(session({
-  resave: false,
-  saveUninitialized: false,
-  secret: Math.round(Math.random() * 100000).toString()
-}))
-
 // Add variables that are available in all views
 app.locals.analyticsId = analyticsId
 app.locals.asset_path = '/public/'
@@ -113,11 +106,25 @@ app.locals.promoMode = promoMode
 app.locals.releaseVersion = 'v' + releaseVersion
 app.locals.serviceName = config.serviceName
 
+var secure = false
+
 // Force HTTPs on production connections
 if (env === 'production' && useHttps === 'true') {
   app.use(utils.forceHttps)
+  secure = true
 }
 
+// Support session data
+app.use(session({
+  cookie: {
+    secure: secure,
+    maxAge: 1000 * 60 * 60 * 4 // 4 hours
+  },
+  resave: false,
+  saveUninitialized: false,
+  secret: Math.round(Math.random() * 100000).toString()
+}))
+
 // add nunjucks function called 'checked' to populate radios and checkboxes,
 // needs to be here as it needs access to req.session and nunjucks environment
 var addCheckedFunction = function (app, nunjucksEnv) {