implemented persistent sessions (not destroyed when broweser closed) – needs more work

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>

de.srsoftware.http/src/main/java/de/srsoftware/http/SessionToken.java

@@ -4,11 +4,21 @@ package de.srsoftware.http;
 
 import com.sun.net.httpserver.Headers;
 import com.sun.net.httpserver.HttpExchange;
+
+import java.time.Instant;
+import java.time.ZoneOffset;
+import java.time.format.DateTimeFormatter;
 import java.util.Optional;
 
 
 public class SessionToken extends Cookie {
 	private final String sessionId;
+	private static final DateTimeFormatter FORMAT = DateTimeFormatter.ofPattern("MM/dd/yyyy HH:mm:ss O");
+
+	public SessionToken(String sessionId, Instant expiration){
+		super("sessionToken", "%s; Path=/api; Expires=%s".formatted(sessionId,FORMAT.format(expiration.atZone(ZoneOffset.UTC))));
+		this.sessionId = sessionId;
+	}
 
 	public SessionToken(String sessionId) {
 		super("sessionToken", sessionId + "; Path=/api");
@@ -17,8 +27,8 @@ public class SessionToken extends Cookie {
 
 	@Override
 	public <T extends Cookie> T addTo(Headers headers) {
-		headers.add("session", sessionId);
-		return (T)this;	 // super.addTo(headers);
+		headers.add("session", getValue());
+		return super.addTo(headers);
 	}
 
 	public static Optional<SessionToken> from(HttpExchange ex) {

de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/UserController.java

@@ -225,7 +225,7 @@ public class UserController extends Controller {
 		var user = optUser.get();
 		users.updatePassword(user, newPass);
 		var session = sessions.createSession(user);
-		new SessionToken(session.id()).addTo(ex);
+		new SessionToken(session.id(),session.expiration()).addTo(ex);
 		return sendRedirect(ex, "/");
 	}
 
@@ -266,7 +266,7 @@ public class UserController extends Controller {
 	}
 
 	private boolean sendUserAndCookie(HttpExchange ex, Session session, User user) throws IOException {
-		new SessionToken(session.id()).addTo(ex);
+		new SessionToken(session.id(),session.expiration()).addTo(ex);
 		return sendContent(ex, user.map(false));
 	}
 

de.srsoftware.oidc.web/src/main/resources/en/login.html

@@ -28,6 +28,14 @@
                         <th>Error</th>
                         <td class="warning">Failed to log in!</td>
                     </tr>
+                    <tr>
+                        <td colspan="2">
+                            <label>
+                                <input type="checkbox" name="trust" checked="checked"/>
+                                Quit session when browser is closed.
+                            </label>
+                        </td>
+                    </tr>
                     <tr>
                         <td></td>
                         <td><button type="button" onClick="tryLogin()">Login</button></td>

de.srsoftware.oidc.web/src/main/resources/en/scripts/login.js

@@ -7,8 +7,13 @@ function doRedirect(){
 function handleLogin(response){
     if (response.ok){ 
         response.headers.forEach(function(val, key) {
+            console.log('header: '+key+' → '+val);
             // in newer browsers, the cookie is set from fetch response. In older browsers this does not seem to work
-            if (key == 'session') document.cookie = 'sessionToken='+val+"; path=/api"
+            if (key == 'session') {
+                val = 'sessionToken='+val;
+                console.log('setting cookie: '+val);
+                document.cookie = val;
+            }
         });
        response.json().then(body => {
           hide('error');

de.srsoftware.oidc.web/src/main/resources/en/todo.html

@@ -16,6 +16,7 @@
                 <li>implement token refresh</li>
                 <li>Verschlüsselung im config-File</li>
                 <li>Configuration im Frontend</li>
+                <li>Process <em>quit session when browser is closed</em> input on login</li>
             </ul>
         </div>
     </body>