Skip to content

fix: cookie max age 변경 - #193 #194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sjk4618 merged 1 commit into from
Dec 9, 2025
Merged

fix: cookie max age 변경 - #193 #194

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions src/main/java/com/permitseoul/permitserver/domain/auth/api/controller/AuthController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
@RequiredArgsConstructor
public class AuthController {
private final AuthService authService;
private final JwtProperties jwtProperties;

//회원가입
@PostMapping("/signup")
Expand Down Expand Up @@ -81,8 +80,8 @@ public ResponseEntity<BaseResponse<?>> logout(

private ResponseEntity<BaseResponse<?>> responseWithGeneratedCookie(final HttpServletResponse response,
final TokenDto tokenDto) {
final ResponseCookie accessTokenCookie = CookieCreatorUtil.createAccessTokenCookie(tokenDto.accessToken(), jwtProperties.accessTokenExpirationTime());
final ResponseCookie refreshTokenCookie = CookieCreatorUtil.createRefreshTokenCookie(tokenDto.refreshToken(), jwtProperties.refreshTokenExpirationTime());
final ResponseCookie accessTokenCookie = CookieCreatorUtil.createAccessTokenCookie(tokenDto.accessToken());
final ResponseCookie refreshTokenCookie = CookieCreatorUtil.createRefreshTokenCookie(tokenDto.refreshToken());
response.setHeader(Constants.SET_COOKIE, accessTokenCookie.toString());
response.addHeader(Constants.SET_COOKIE, refreshTokenCookie.toString());

Expand Down
19 changes: 7 additions & 12 deletions src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/CookieCreatorUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,7 @@

@NoArgsConstructor(access = AccessLevel.PRIVATE)
public class CookieCreatorUtil {
private static JwtProperties jwtProperties;
private static final long ACCESS_COOKIE_EXTRA_SECONDS = 5L * 60; // 5분
private static final long REFRESH_COOKIE_EXTRA_SECONDS = 15L * 60; // 15분
private static final long COOKIE_MAX_AGE = 90L; // 90초 테스트용
Copy link

@coderabbitai coderabbitai bot Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's read the full CookieCreatorUtil.java file to understand context
cat -n src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/CookieCreatorUtil.java

Repository: PERMIT-SEOUL/permit-server

Length of output: 2809

🏁 Script executed:

# Search for application configuration files
find . -type f \( -name "application*.properties" -o -name "application*.yml" -o -name "application*.yaml" \) | head -20

Repository: PERMIT-SEOUL/permit-server

Length of output: 52

🏁 Script executed:

# Check if there are any configuration classes or beans related to cookie settings
rg -i "cookie.*max.*age|COOKIE_MAX_AGE" --type java

Repository: PERMIT-SEOUL/permit-server

Length of output: 643

🏁 Script executed:

# Check for environment-specific settings
fd -e properties -e yml -e yaml | grep -E "(prod|dev|test|config)" | head -20

Repository: PERMIT-SEOUL/permit-server

Length of output: 52

🏁 Script executed:

# Check git history for CookieCreatorUtil.java
git log --oneline src/main/java/com/permitseoul/permitserver/domain/auth/core/jwt/CookieCreatorUtil.java | head -10

Repository: PERMIT-SEOUL/permit-server

Length of output: 107

🏁 Script executed:

# Check for CI/CD or deployment files
find . -type f \( -name "*.yml" -o -name "*.yaml" -o -name "Dockerfile" -o -name ".github" -o -name "pom.xml" \) | head -20

Repository: PERMIT-SEOUL/permit-server

Length of output: 222

🏁 Script executed:

# Check if this is a production project by looking at pom.xml or build files
ls -la | grep -E "(pom|build|gradle|docker)"

Repository: PERMIT-SEOUL/permit-server

Length of output: 370

🏁 Script executed:

# Let's check the recent commit to see what "fix" was made
git show 91dc9fe --stat

Repository: PERMIT-SEOUL/permit-server

Length of output: 31912

Test configuration in production cookie settings.

The constant COOKIE_MAX_AGE = 90L with comment "90초 테스트용" is being used in both createAccessTokenCookie() and createRefreshTokenCookie(). A 90-second max-age is far too short for production use, particularly for refresh tokens, and will cause frequent user logouts.

This needs to be replaced with appropriate production values:

  • Access token: 15-30 minutes
  • Refresh token: 7-30 days

Also remove the unused toCookieMaxAgeSeconds() method (lines 63-65) and consider externalizing cookie lifetimes to configuration properties to allow environment-specific values.

private static final long RESERVED_MAX_AGE = 10L * 60; // 10분(10분간 선점 가능)

public static ResponseCookie createReservationSessionCookie(final String sessionKey) {
Expand All @@ -22,21 +20,19 @@ public static ResponseCookie createReservationSessionCookie(final String session
.build();
}

public static ResponseCookie createAccessTokenCookie(final String accessToken, final long accessTokenExpirationMillis) {
final long maxAgeSeconds = toCookieMaxAgeSeconds(accessTokenExpirationMillis, ACCESS_COOKIE_EXTRA_SECONDS);
public static ResponseCookie createAccessTokenCookie(final String accessToken) {
return ResponseCookie.from(Constants.ACCESS_TOKEN, accessToken)
.maxAge(maxAgeSeconds)
.maxAge(COOKIE_MAX_AGE)
.path("/")
.httpOnly(true)
.secure(true)
.sameSite("None")
.build();
}

public static ResponseCookie createRefreshTokenCookie(final String refreshToken, final long refreshTokenExpirationMillis) {
final long maxAgeSeconds = toCookieMaxAgeSeconds(refreshTokenExpirationMillis, REFRESH_COOKIE_EXTRA_SECONDS);
public static ResponseCookie createRefreshTokenCookie(final String refreshToken) {
return ResponseCookie.from(Constants.REFRESH_TOKEN, refreshToken)
.maxAge(maxAgeSeconds)
.maxAge(COOKIE_MAX_AGE)
.path("/")
.httpOnly(true)
.secure(true)
Expand Down Expand Up @@ -64,8 +60,7 @@ public static ResponseCookie deleteRefreshTokenCookie() {
.build();
}

private static long toCookieMaxAgeSeconds(long jwtExpirationMillis, long extraSeconds) {
long baseSeconds = jwtExpirationMillis / 1000;
return baseSeconds + extraSeconds;
private static long toCookieMaxAgeSeconds(final long jwtExpirationMillis) {
return jwtExpirationMillis / 1000;
}
}