Middleware and extending the Cookies maxAge

[rwieruch]

I might be missing something, but I noticed in the new Lucia documentation that the cookie's lifetime is extended in the middleware: https://lucia-next.pages.dev/sessions/cookies/nextjs

However, it seems like the expiresAt value for the session in the database doesn't get updated. Since the validateSessionToken function checks against the session stored in the database rather than the refreshed cookie (out of sync), wouldn't this mean the cookie's lifetime extension isn't really taken into account? Any clarification on this would be greatly appreciated!

Related: I guess it would be a security risk to just attach the lifetime to the cookie alone and have it not attached on the session in the DB, because then we would loose the ability to invalidate sessions directly in the DB.

[pilcrowonpaper]

I'm not exactly sure what you mean? The cookie lifetime doesn't really matter

[rwieruch]

Ah okay, then I misunderstood the following code I guess:

response.cookies.set("session", token, {
  path: "/",
  maxAge: 60 * 60 * 24 * 30,
  sameSite: "lax",
  httpOnly: true,
  secure: process.env.NODE_ENV === "production"
});

So essentially we are just keeping the session alive for every GET request if there is a cookie. We do not validateSessionToken() the session (or refresh the session's expiresAt date). But once there is a mutating user operation, we would have to perform authorization via validateSessionToken where the expiresAt is getting checked.

[pilcrowonpaper]

Ideally we'd like to extend the cookie lifetime when we actually extend the session expiration, but that's not possible in Next.js, so we just extend the cookie lifetime if it exists regardless of whether it's valid or not.