vanilla · tburry · Jun 12, 2020 · Jun 12, 2020
diff --git a/dist/functions.jsconnect.php b/dist/functions.jsconnect.php
@@ -268,6 +268,10 @@ class JsConnect
      * @var string
      */
     protected $signingAlgorithm;
+    /**
+     * @var int
+     */
+    protected $timeout = self::TIMEOUT;
     /**
      * JsConnect constructor.
      */
@@ -468,7 +472,7 @@ public function setGuest(bool $isGuest)
      */
     public function jwtEncode(array $payload) : string
     {
-        $payload += ['v' => $this->getVersion(), 'iat' => $this->getTimestamp(), 'exp' => $this->getTimestamp() + self::TIMEOUT];
+        $payload += ['v' => $this->getVersion(), 'iat' => $this->getTimestamp(), 'exp' => $this->getTimestamp() + $this->getTimeout()];
         $jwt = JWT::encode($payload, $this->getSigningSecret(), $this->getSigningAlgorithm(), null, [self::FIELD_CLIENT_ID => $this->getSigningClientID()]);
         return $jwt;
     }
@@ -591,6 +595,26 @@ public function getVersion() : string
     {
         return self::VERSION;
     }
+    /**
+     * Get the JWT expiry timeout.
+     *
+     * @return int
+     */
+    public function getTimeout() : int
+    {
+        return $this->timeout;
+    }
+    /**
+     * Set the JWT expiry timeout.
+     *
+     * @param int $timeout
+     * @return $this
+     */
+    public function setTimeout(int $timeout)
+    {
+        $this->timeout = $timeout;
+        return $this;
+    }
 }
 }
 

diff --git a/src/JsConnect.php b/src/JsConnect.php
@@ -64,6 +64,11 @@ class JsConnect {
      */
     protected $signingAlgorithm;
 
+    /**
+     * @var int
+     */
+    protected $timeout = self::TIMEOUT;
+
     /**
      * JsConnect constructor.
      */
@@ -278,7 +283,7 @@ public function jwtEncode(array $payload): string {
         $payload += [
             'v' => $this->getVersion(),
             'iat' => $this->getTimestamp(),
-            'exp' => $this->getTimestamp() + self::TIMEOUT,
+            'exp' => $this->getTimestamp() + $this->getTimeout(),
         ];
 
         $jwt = JWT::encode($payload, $this->getSigningSecret(), $this->getSigningAlgorithm(), null, [
@@ -405,4 +410,24 @@ final public static function decodeJWTHeader(string $jwt): ?array {
     public function getVersion(): string {
         return self::VERSION;
     }
+
+    /**
+     * Get the JWT expiry timeout.
+     *
+     * @return int
+     */
+    public function getTimeout(): int {
+        return $this->timeout;
+    }
+
+    /**
+     * Set the JWT expiry timeout.
+     *
+     * @param int $timeout
+     * @return $this
+     */
+    public function setTimeout(int $timeout) {
+        $this->timeout = $timeout;
+        return $this;
+    }
 }
diff --git a/src/JsConnectServer.php b/src/JsConnectServer.php
@@ -7,6 +7,7 @@
 
 namespace Vanilla\JsConnect;
 
+use Firebase\JWT\ExpiredException;
 use Firebase\JWT\JWT;
 use Vanilla\JsConnect\Exceptions\InvalidValueException;
 
@@ -46,13 +47,17 @@ public function generateRequest(array $state = []): array {
             // The cookie was already set. Make sure it's one of ours.
             try {
                 $decodedCookie = $this->jwtDecode($state[self::FIELD_COOKIE]);
+            } catch (ExpiredException $ex) {
+                // The cookie was valid, but expired so issue a new one.
+                goto GENERATE_COOKIE;
             } catch (\Exception $ex) {
                 throw new InvalidValueException('Could not use supplied jsConnect SSO token: '.$ex->getMessage());
             }
             $nonce = self::validateFieldExists(self::FIELD_NONCE, $decodedCookie, 'ssoToken');
             $cookie = $state[self::FIELD_COOKIE];
             unset($state[self::FIELD_COOKIE]);
         } else {
+            GENERATE_COOKIE:
             $nonce = JWT::urlsafeB64Encode(openssl_random_pseudo_bytes(15));
             $cookie = $this->jwtEncode([self::FIELD_NONCE => $nonce]);
         }

diff --git a/tests/JsConnectServerTest.php b/tests/JsConnectServerTest.php
@@ -123,6 +123,17 @@ public function testCookieReuse(): void {
         $this->assertArrayNotHasKey(JsConnectServer::FIELD_COOKIE, $decoded2, "The cookie should be double encoded.");
     }
 
+    /**
+     * If I try to re-use an expired, but valid cookie then a new one should be generated.
+     */
+    public function testCookieReuseTimeout(): void {
+        $this->jsc->setTimeout(1);
+        list($_, $cookie) = $this->jsc->generateRequest();
+        sleep(2);
+        list($_, $cookie2) = $this->jsc->generateRequest([JsConnectServer::FIELD_COOKIE => $cookie]);
+        $this->assertNotSame($cookie, $cookie2);
+    }
+
     /**
      * I should not be able to re-use any old cookie value for JsConnect.
      */