Allowing session cookie (split cookie)

DependencyInjection/LexikJWTAuthenticationExtension.php

@@ -103,7 +103,7 @@ public function load(array $configs, ContainerBuilder $container)
                 $container
                     ->setDefinition($id = "lexik_jwt_authentication.cookie_provider.$name", new ChildDefinition('lexik_jwt_authentication.cookie_provider'))
                     ->replaceArgument(0, $name)
-                    ->replaceArgument(1, $attributes['lifetime'] ?: ($config['token_ttl'] ?: 0))
+                    ->replaceArgument(1, $attributes['lifetime'] ?? ($config['token_ttl'] ?: 0))
                     ->replaceArgument(2, $attributes['samesite'])
                     ->replaceArgument(3, $attributes['path'])
                     ->replaceArgument(4, $attributes['domain'])

Resources/doc/1-configuration-reference.md

@@ -116,6 +116,8 @@ set_cookies:
 ### Automatically generating split cookies
 You are also able to automatically generate split cookies. Benefits of this approach are in [this post](https://medium.com/lightrail/getting-token-authentication-right-in-a-stateless-single-page-application-57d0c6474e3).
 
+Set the signature cookie (jwt_s) lifetime to 0 to create session cookies.
+
 Keep in mind, that SameSite attribute is **not supported** in [some browsers](https://caniuse.com/#feat=same-site-cookie-attribute)
 
 ```
@@ -138,7 +140,7 @@ set_cookies:
             - payload
 
     jwt_s:
-        lifetime: null
+        lifetime: 0
         samesite: strict
         path: /
         domain: null

Security/Http/Cookie/JWTCookieProvider.php

@@ -43,17 +43,21 @@ public function createCookie(string $jwt, ?string $name = null, $expiresAt = nul
             throw new \LogicException(sprintf('The cookie name must be provided, either pass it as 2nd argument of %s or set a default name via the constructor.', __METHOD__));
         }
 
-        if (!$expiresAt && !$this->defaultLifetime) {
+        if (!$expiresAt && null === $this->defaultLifetime) {
             throw new \LogicException(sprintf('The cookie expiration time must be provided, either pass it as 3rd argument of %s or set a default lifetime via the constructor.', __METHOD__));
         }
 
         $jwtParts = new JWTSplitter($jwt);
         $jwt = $jwtParts->getParts($split ?: $this->defaultSplit);
 
+        if (null === $expiresAt) {
+            $expiresAt = 0 === $this->defaultLifetime ? 0 : (time() + $this->defaultLifetime);
+        }
+
         return new Cookie(
             $name ?: $this->defaultName,
             $jwt,
-            null === $expiresAt ? (time() + $this->defaultLifetime) : $expiresAt,
+            $expiresAt,
             $path ?: $this->defaultPath,
             $domain ?: $this->defaultDomain,
             $secure ?: $this->defaultSecure,

Tests/Security/Http/Cookie/JWTCookieProviderTest.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace Lexik\Bundle\JWTAuthenticationBundle\Tests\Security\Http\Cookie;
+
+use Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Cookie\JWTCookieProvider;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * JWTCookieProviderTest.
+ */
+class JWTCookieProviderTest extends TestCase
+{
+    public function testCreateCookieWithExpiration()
+    {
+        $expiresAt = time() + 3600;
+        $cookieProvider = new JWTCookieProvider("default_name");
+        $cookie = $cookieProvider->createCookie("header.payload.signature", "name", $expiresAt);
+
+        $this->assertEquals($expiresAt, $cookie->getExpiresTime());
+    }
+
+    public function testCreateCookieWithLifetime()
+    {
+        $lifetime = 3600;
+        $cookieProvider = new JWTCookieProvider("default_name", $lifetime);
+        $cookie = $cookieProvider->createCookie("header.payload.signature");
+
+        $this->assertEquals(time() + $lifetime, $cookie->getExpiresTime());
+    }
+
+    public function testCreateSessionCookie()
+    {
+        $cookieProvider = new JWTCookieProvider("default_name", 0);
+        $cookie = $cookieProvider->createCookie("header.payload.signature");
+
+        $this->assertEquals(0, $cookie->getExpiresTime());
+    }
+}