Pressingly · UsamaSadiq · Apr 21, 2026 · Apr 21, 2026
diff --git a/backend/src/app/config.clj b/backend/src/app/config.clj
@@ -58,6 +58,9 @@
    :objects-storage-fs-directory "assets"
 
    :auth-token-cookie-name "auth-token"
+   ;; Defaults match FOSS devstack SESSION_COOKIE_MAX_AGE_SECONDS / SESSION_COOKIE_REFRESH_SECONDS
+   :auth-token-cookie-max-age (ct/duration {:days 7})
+   :auth-token-cookie-renewal-max-age (ct/duration {:hours 1})
 
    :assets-path "/internal/assets/"
    :smtp-default-reply-to "Penpot <no-reply@example.com>"
@@ -156,6 +159,7 @@
 
     [:auth-token-cookie-name {:optional true} :string]
     [:auth-token-cookie-max-age {:optional true} ::ct/duration]
+    [:auth-token-cookie-renewal-max-age {:optional true} ::ct/duration]
 
     [:registration-domain-whitelist {:optional true} [::sm/set :string]]
     [:email-verify-threshold {:optional true} ::ct/duration]

diff --git a/backend/src/app/http/session.clj b/backend/src/app/http/session.clj
@@ -218,10 +218,11 @@
 
 (defn- renew-session?
   [{:keys [id modified-at] :as session}]
-  (or (string? id)
-      (and (ct/inst? modified-at)
-           (let [elapsed (ct/diff modified-at (ct/now))]
-             (neg? (compare default-renewal-max-age elapsed))))))
+  (let [renewal-max (cf/get :auth-token-cookie-renewal-max-age default-renewal-max-age)]
+    (or (string? id)
+        (and (ct/inst? modified-at)
+             (let [elapsed (ct/diff modified-at (ct/now))]
+               (neg? (compare renewal-max elapsed)))))))
 
 (defn- wrap-authz
   [handler {:keys [::manager] :as cfg}]
@@ -279,7 +280,7 @@
   [response {token :token modified-at :modified-at}]
   (let [max-age    (cf/get :auth-token-cookie-max-age default-cookie-max-age)
         created-at modified-at
-        renewal    (ct/plus created-at default-renewal-max-age)
+        renewal    (ct/plus created-at (cf/get :auth-token-cookie-renewal-max-age default-renewal-max-age))
         expires    (ct/plus created-at max-age)
         secure?    (contains? cf/flags :secure-session-cookies)
         strict?    (contains? cf/flags :strict-session-cookies)

diff --git a/backend/test/backend_tests/config_session_cookie_test.clj b/backend/test/backend_tests/config_session_cookie_test.clj
@@ -0,0 +1,50 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns backend-tests.config-session-cookie-test
+  "Auth-token cookie max-age / renewal-max-age: defaults, env override (merge), session renewal threshold."
+  (:require
+   [app.common.time :as ct]
+   [app.config :as cf]
+   [app.http.session :as session]
+   [clojure.test :as t]
+   [environ.core :refer [env]]))
+
+(t/deftest default-map-includes-unified-session-durations
+  (let [max-age (:auth-token-cookie-max-age cf/default)
+        renewal (:auth-token-cookie-renewal-max-age cf/default)]
+    (t/is (ct/duration? max-age))
+    (t/is (ct/duration? renewal))
+    (t/is (= (ct/duration {:days 7}) max-age))
+    (t/is (= (ct/duration {:hours 1}) renewal))))
+
+(t/deftest read-config-uses-defaults-when-env-prefix-has-no-keys
+  ;; No process env uses this prefix; read-env is empty → merged config is `default` only.
+  (let [cfg (cf/read-config :prefix "penpotzzzzunused"
+                            :default cf/default)]
+    (t/is (= (ct/duration {:days 7}) (:auth-token-cookie-max-age cfg)))
+    (t/is (= (ct/duration {:hours 1}) (:auth-token-cookie-renewal-max-age cfg)))))
+
+(t/deftest read-config-env-overrides-default
+  (let [extra {:penpot-auth-token-cookie-max-age "172800s"
+               :penpot-auth-token-cookie-renewal-max-age "7200s"}
+        merged (merge env extra)]
+    (with-redefs [env merged]
+      (let [cfg (cf/read-config :default cf/default)]
+        (t/is (= (ct/duration {:days 2}) (:auth-token-cookie-max-age cfg)))
+        (t/is (= (ct/duration {:hours 2}) (:auth-token-cookie-renewal-max-age cfg)))))))
+
+(t/deftest renew-session-respects-configured-renewal-max-age
+  (binding [cf/config (assoc cf/config
+                             :auth-token-cookie-renewal-max-age (ct/duration {:minutes 5}))]
+    (let [now (ct/now)
+          recent (ct/minus now (ct/duration {:minutes 1}))
+          stale (ct/minus now (ct/duration {:minutes 10}))]
+      (t/is (not (#'session/renew-session? {:id (random-uuid) :modified-at recent})))
+      (t/is (#'session/renew-session? {:id (random-uuid) :modified-at stale})))))
+
+(t/deftest renew-session-true-for-legacy-string-session-id
+  (t/is (#'session/renew-session? {:id "legacy-string-session" :modified-at (ct/now)})))