Will It Vibe logoWill It Vibe?
AUTHZ-020Low severity-4 points

Excessively long session cookie lifetime

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

A session cookie maxAge is set to an extremely large value (roughly four months or more in milliseconds), so a stolen cookie stays valid for a very long time.

Why it matters

A session cookie whose maxAge is set to hundreds of days keeps the session valid for that entire window. If the cookie is ever stolen, the attacker has months of access, and the long lifetime also defeats any expectation that idle sessions eventually end. Long absolute lifetimes multiply the impact of any single cookie leak.

How to fix it

Shorten the session cookie lifetime to hours or a small number of days, and use a rolling/idle timeout so activity extends the session rather than one long absolute expiry. For long-lived login, use a separate refresh mechanism you can revoke server-side instead of a very long cookie. Store the value as a named constant in a readable unit.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks