fix: options both expires maxage

README.md

@@ -66,10 +66,10 @@ The name of the session cookie. Defaults to `sessionId`.
 ##### cookie
 The options object is used to generate the `Set-Cookie` header of the session cookie. May have the following properties:
 * `path` - The `Path` attribute. Defaults to `/` (the root path). 
-* `maxAge` - A `number` in milliseconds that specifies the `Expires` attribute by adding the specified milliseconds to the current date. If both `expires` and `maxAge` are set, then `expires` is used.
+* `maxAge` - A `number` in milliseconds that specifies the `Expires` attribute by adding the specified milliseconds to the current date. If both `expires` and `maxAge` are set, then `maxAge` is used.
 * `httpOnly` - The `boolean` value of the `HttpOnly` attribute. Defaults to true.
 * `secure` - The `boolean` value of the `Secure` attribute. Set this option to false when communicating over an unencrypted (HTTP) connection. Value can be set to `auto`; in this case, the `Secure` attribute will be set to false for an HTTP request. In the case of HTTPS, it will be set to true.  Defaults to true.
-* `expires` - The expiration `date` used for the `Expires` attribute. If both `expires` and `maxAge` are set, then `expires` is used.
+* `expires` - The expiration `date` used for the `Expires` attribute. If both `expires` and `maxAge` are set, then `maxAge` is used.
 * `sameSite`- The `boolean` or `string` of the `SameSite` attribute. Using `Secure` mode with `auto` attribute will change the behavior of the `SameSite` attribute in `http` mode. The `SameSite` attribute will automatically be set to `Lax` with an `http` request. See this [link](https://www.chromium.org/updates/same-site).
 * `domain` - The `Domain` attribute.
 

test/cookie.test.js

@@ -396,3 +396,29 @@ test('should set session secure cookie secureAuto x-forwarded-proto header', asy
   t.is(statusCode, 200)
   t.regex(cookie, /sessionId=[\w-]{32}.[\w-%]{43,55}; Path=\/; HttpOnly; Secure/)
 })
+
+test('should use maxAge instead of expires in session if both are set in options.cookie', async (t) => {
+  t.plan(3)
+  const expires = new Date()
+  expires.setTime(34214461000) // 1971-02-01T00:01:01.000Z
+  const options = {
+    secret: 'cNaoPYAwF60HZJzkcNaoPYAwF60HZJzk',
+    cookie: { maxAge: 1000, expires }
+  }
+  const port = await testServer((request, reply) => {
+    request.session.test = {}
+    reply.code(200).send(Date.now().toString())
+  }, options)
+
+  const { statusCode, cookie, body } = await request({
+    url: `http://localhost:${port}`,
+    headers: { 'x-forwarded-proto': 'https' }
+  })
+
+  const dateFromBody = new Date(Number(body))
+  t.is(statusCode, 200)
+  // Expires attribute should be determined by options.maxAge -> Date.now() + 1000 and should have the same year from response.body,
+  // and not determined by options.expires and should not have the year of 1971
+  t.notRegex(cookie, /sessionId=[\w-]{32}.[\w-%]{43,55}; Path=\/; Expires=\w+, \d+ \w+ 1971 \d{2}:\d{2}:\d{2} GMT; HttpOnly; Secure/)
+  t.regex(cookie, new RegExp(String.raw`sessionId=[\w-]{32}.[\w-%]{43,55}; Path=\/; Expires=\w+, \d+ \w+ ${dateFromBody.getFullYear()} \d{2}:\d{2}:\d{2} GMT; HttpOnly; Secure`))
+})