Change request for Cookie expiry

In Cookies.cs, we see:

       public void AddPermanentCookie(string cookieName, string cookieValue, bool? secureOnly = null)
        var cookie = new Cookie(cookieName, cookieValue, RootPath) {
            Expires = DateTime.UtcNow.AddYears(20)
        if (secureOnly != null)
            cookie.Secure = secureOnly.Value;

Please use the SessionFeature with a TimeSpan for the Expires. 20 years is a long time, and moreover, we cannot override it. PermanentSessionExpiry is already defined, but not used.

The 20 years means this permanent Cookie lasts forever, i.e. It’s Permanent. No one is expecting to wait 20 years for permanent cookies to expire, it lasts until they logout or clear their Cookies. In all likelihood they’re not going use the same device for 20 years, they’ll be lucky if the same website will be around in 20 years.

You likely don’t want to use a Permanent Cookie if you’re concerned about its expiry.

The problem lies herein that we cannot turn this off. The cookie is generated anyway.

You should be able to suppress ss-pid cookie by overriding AllowSetCookie in your AppHost, e.g:

public override bool AllowSetCookie(IRequest req, string cookieName)
    return = cookieName != SessionFeature.PermanentSessionId 
        && base.AllowSetCookie(req,cookieName);

But this will prevent Authenticating with ?RememberMe=true.

That is fine. Will test. Thx!