Add ability to configure cookie refresh time

quarkusio · Oct 24, 2019 · 45cde67 · 45cde67
1 parent 1678f08
commit 45cde67
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/...nsions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/FormAuthConfig.java b/...nsions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/FormAuthConfig.java
@@ -40,6 +40,20 @@ public class FormAuthConfig {
     @ConfigItem(defaultValue = "PT30M")
     public Duration timeout;
 
+    /**
+     * How old a cookie can get before it will be replaced with a new cookie with an updated timeout.
+     *
+     * Not that smaller values will result in slightly more server load (as new encrypted cookies will be
+     * generated more often), however larger values affect the inactivity timeout as the timeout is set
+     * when a cookie is generated.
+     *
+     * For example if this is set to 10 minutes, and the inactivity timeout is 30m, if a users last request
+     * is when the cookie is 9m old then the actual timeout will happen 21m after the last request, as the timeout
+     * is only refreshed when a new cookie is generated.
+     */
+    @ConfigItem(defaultValue = "PT1M")
+    public Duration newCookieInterval;
+
     /**
      * The cookie that is used to store the persistent session
      */

diff --git a/...ime/src/main/java/io/quarkus/vertx/http/runtime/security/FormAuthenticationMechanism.java b/...ime/src/main/java/io/quarkus/vertx/http/runtime/security/FormAuthenticationMechanism.java
@@ -61,7 +61,8 @@ public void init(HttpConfiguration httpConfiguration, HttpBuildTimeConfig buildT
             key = httpConfiguration.encryptionKey;
         }
         FormAuthConfig form = buildTimeConfig.auth.form;
-        loginManager = new PersistentLoginManager(key, "quarkus-credential", form.timeout.toMillis());
+        loginManager = new PersistentLoginManager(key, "quarkus-credential", form.timeout.toMillis(),
+                form.newCookieInterval.toMillis());
         loginPage = form.loginPage.startsWith("/") ? form.loginPage : "/" + form.loginPage;
         errorPage = form.errorPage.startsWith("/") ? form.errorPage : "/" + form.errorPage;
         landingPage = form.landingPage.startsWith("/") ? form.landingPage : "/" + form.landingPage;

diff --git a/.../runtime/src/main/java/io/quarkus/vertx/http/runtime/security/PersistentLoginManager.java b/.../runtime/src/main/java/io/quarkus/vertx/http/runtime/security/PersistentLoginManager.java
@@ -35,10 +35,12 @@ public class PersistentLoginManager {
     private final String cookieName;
     private final long timeoutMillis;
     private final SecureRandom secureRandom = new SecureRandom();
+    private final long newCookieMillis;
 
-    public PersistentLoginManager(String encryptionKey, String cookieName, long timeoutMillis) {
+    public PersistentLoginManager(String encryptionKey, String cookieName, long timeoutMillis, long newCookieMillis) {
         try {
             this.cookieName = cookieName;
+            this.newCookieMillis = newCookieMillis;
             this.timeoutMillis = timeoutMillis;
             if (encryptionKey == null) {
                 secretKey = KeyGenerator.getInstance("AES").generateKey();
@@ -79,7 +81,7 @@ public RestoreResult restore(RoutingContext context) {
             if (System.currentTimeMillis() > expire) {
                 return null;
             }
-            return new RestoreResult(result.substring(sep + 1), (System.currentTimeMillis() - expire) > 1000 * 60); //new cookie every minute
+            return new RestoreResult(result.substring(sep + 1), (System.currentTimeMillis() - expire) > newCookieMillis);
         } catch (Exception e) {
             log.debug("Failed to restore persistent user session", e);
             return null;