Use date-insensitive cookie expiration

rgaudin · rgaudin · commit e9069e1e6ea8 · 2026-03-11T10:41:42.000Z
On an out-of-time host (any raspberry offline and without working, battery-backed RTC), the cookie expiration would likely be set to a date in the past. Connecting via a strict, time-synced device (iOS) would thus not send (or even remove) the cookie set at credentials-sending\ resulting in a redirect to the login page. We are now setting the expiration as a seconds offset from now, that the client itself will interpret. https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.2 Fixes #8
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Password visibility toggle on login page (dashboard#46)
 
+## Fixed
+
+- Unable to login in on out-of-time systems (#8)
+
 ## [1.3.2] - 2025-12-11
 
 ### Fixed
diff --git a/src/adminui/auth/session.py b/src/adminui/auth/session.py
@@ -12,6 +12,11 @@ class Session(BaseModel):
     id: UUID
     expire_on: datetime.datetime
 
+    @property
+    def expire_in(self) -> int:
+        """ nb of seconds from now until expiration"""
+        return int((self.expire_on - get_now()).total_seconds())
+
     @property
     def is_valid(self) -> bool:
         return self.expire_on > get_now()
diff --git a/src/adminui/auth/views.py b/src/adminui/auth/views.py
@@ -65,7 +65,7 @@ def login_auth(
         response.set_cookie(
             key=SESSION_COOKIE_NAME,
             value=str(session.id),
-            expires=session.expire_on,
+            max_age=session.expire_in,
             httponly=True,
         )
         return response

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ def login_auth(`
`65`	`65`	`response.set_cookie(`
`66`	`66`	`key=SESSION_COOKIE_NAME,`
`67`	`67`	`value=str(session.id),`
`68`		`- expires=session.expire_on,`
	`68`	`+ max_age=session.expire_in,`
`69`	`69`	`httponly=True,`
`70`	`70`	`)`
`71`	`71`	`return response`