Add ability to set cookie expiry time

README.md

@@ -216,6 +216,11 @@ MellonDiagnosticsEnable Off
         # Default: /
         MellonCookiePath /
 
+        # MellonCookieExpires seconds into the future the cookie will expire
+        # the date will be now() + MellonCookieExpires
+        # Default: Unset (Browser Session)
+        # MellonCookieExpires 86400
+
         # MellonCookieSameSite allows control over the SameSite value used
         # for the authentication cookie.
         # The setting accepts values of "Strict" or "Lax"

auth_mellon.h

@@ -268,6 +268,9 @@ typedef struct am_dir_cfg_rec {
     /* Maximum number of seconds a session is valid for. */
     int session_length;
 
+    /* When cookie expires */
+    int cookie_expires;
+
     /* No cookie error page. */
     const char *no_cookie_error_page;
 

auth_mellon_config.c

@@ -1426,6 +1426,14 @@ const command_rec auth_mellon_commands[] = {
         "Maximum number of seconds a session will be valid for. Defaults"
         " to 86400 seconds (1 day)."
         ),
+    AP_INIT_TAKE1(
+        "MellonCookieExpires",
+        ap_set_int_slot,
+        (void *)APR_OFFSETOF(am_dir_cfg_rec, cookie_expires),
+        OR_AUTHCFG,
+        "Maximum number of seconds a cookie will be valid for"
+        "Defaults to browser session"
+        ),
     AP_INIT_TAKE1(
         "MellonNoCookieErrorPage",
         ap_set_string_slot,
@@ -1723,6 +1731,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d)
     dir->endpoint_path = default_endpoint_path;
 
     dir->session_length = -1; /* -1 means use default. */
+    dir->cookie_expires = -1; /* -1 means use default. */
 
     dir->no_cookie_error_page = NULL;
     dir->no_success_error_page = NULL;
@@ -1897,6 +1906,10 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add)
                                add_cfg->session_length :
                                base_cfg->session_length);
 
+    new_cfg->cookie_expires = (add_cfg->cookie_expires != -1 ?
+                               add_cfg->cookie_expires :
+                               base_cfg->cookie_expires);
+
     new_cfg->no_cookie_error_page = (add_cfg->no_cookie_error_page != NULL ?
                                      add_cfg->no_cookie_error_page :
                                      base_cfg->no_cookie_error_page);

auth_mellon_cookie.c

@@ -1,7 +1,7 @@
 /*
  *
  *   auth_mellon_cookie.c: an authentication apache module
- *   Copyright � 2003-2007 UNINETT (http://www.uninett.no/)
+ *   Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
  *
  *   This program is free software; you can redistribute it and/or modify
  *   it under the terms of the GNU General Public License as published by
@@ -59,6 +59,9 @@ static const char *am_cookie_params(request_rec *r)
     const char *cookie_domain = ap_get_server_name(r);
     const char *cookie_path = "/";
     const char *cookie_samesite = "";
+    const char *cookie_expires = "";
+    char rbuf[APR_RFC822_DATE_LEN + 1];
+
     am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
 
     if (cfg->cookie_domain) {
@@ -78,12 +81,20 @@ static const char *am_cookie_params(request_rec *r)
     secure_cookie = cfg->secure;
     http_only_cookie = cfg->http_only;
 
+    if ( cfg->cookie_expires > -1 ) {
+      apr_rfc822_date(rbuf, apr_time_now() + (APR_USEC_PER_SEC * cfg->cookie_expires));
+      cookie_expires = apr_psprintf(r->pool, "; Expires=%s", rbuf);
+    }
+
     return apr_psprintf(r->pool,
-                        "Version=1; Path=%s; Domain=%s%s%s%s",
+
+                        "Version=1; Path=%s; Domain=%s%s%s%s%s",
+
                         cookie_path, cookie_domain,
                         http_only_cookie ? "; HttpOnly" : "",
                         secure_cookie ? "; secure" : "",
-                        cookie_samesite);
+                        cookie_samesite,
+                        cfg->cookie_expires > -1 ? cookie_expires : "");
 }
 
 

doc/user_guide/mellon_user_guide.adoc

@@ -1948,8 +1948,6 @@ validity period for a Mellon session is the lesser of the
 `MellonSessionLength` or the optional IdP `SessionNotOnOrAfter`
 attribute if the IdP supplied it.
 
-
-
 === Mellon Cookie [[mellon_cookie]]
 
 <<mellon_session>> information is communicated via a cookie. The
@@ -1977,6 +1975,10 @@ is found and it remains valid, Mellon immediately grants access. A
 Mellon session will expire, see <<mellon_session>> for information
 concerning session lifetime.
 
+MellonCookieExpires can change how long the cookie lives.  By default cookie
+lives as long as browser session, but using MellonCookieExpires directive
+it's possible to set cookie expiry that many seconds into the future
+
 == Working with SAML attributes and exporting values to web apps
 
 When you receive a SAML assertion authenticating a subject, the