Add timeouts to State, not implemented yet.

serversession-frontend-yesod/src/Web/ServerSession/Frontend/Yesod.hs

@@ -1,3 +1,4 @@
+-- | Yesod server-side session support.
 module Web.ServerSession.Frontend.Yesod
   ( -- * Using server-side sessions
     simpleBackend
@@ -5,7 +6,13 @@ module Web.ServerSession.Frontend.Yesod
     -- * Invalidating session IDs
   , forceInvalidate
   , ForceInvalidate(..)
+    -- * State configuration
+  , setCookieName
+  , setAuthKey
+  , setIdleTimeout
+  , setAbsoluteTimeout
+  , State
   ) where
 
-import Web.ServerSession.Core (ForceInvalidate(..))
+import Web.ServerSession.Core
 import Web.ServerSession.Frontend.Yesod.Internal

serversession-frontend-yesod/src/Web/ServerSession/Frontend/Yesod/Internal.hs

@@ -1,3 +1,5 @@
+-- | Internal module exposing the guts of the package.  Use at
+-- your own risk.  No API stability guarantees apply.
 module Web.ServerSession.Frontend.Yesod.Internal
   ( simpleBackend
   , backend

serversession/src/Web/ServerSession/Core.hs

@@ -7,15 +7,17 @@ module Web.ServerSession.Core
 
     -- * For serversession frontends
   , SessionMap
-  , State(..)
+  , State
   , createState
-  , setAuthKey
   , loadSession
   , saveSession
   , SaveSessionToken
   , forceInvalidateKey
     -- ** To be re-exported by frontends
   , setCookieName
+  , setAuthKey
+  , setIdleTimeout
+  , setAbsoluteTimeout
   , ForceInvalidate(..)
   ) where
 

serversession/src/Web/ServerSession/Core/Internal.hs

@@ -13,6 +13,8 @@ module Web.ServerSession.Core.Internal
   , createState
   , setCookieName
   , setAuthKey
+  , setIdleTimeout
+  , setAbsoluteTimeout
   , loadSession
   , saveSession
   , SaveSessionToken(..)
@@ -206,6 +208,45 @@ setAuthKey :: Text -> State s -> State s
 setAuthKey val state = state { authKey = val }
 
 
+-- | Set the idle timeout for all sessions.  This is used both on
+-- the client side (by setting the cookie expires fields) and on
+-- the server side (the idle timeout is enforced even if the
+-- cookie expiration is ignored).  Setting to @Nothing@ removes
+-- the idle timeout entirely.
+--
+-- \"[The idle timemout] defines the amount of time a session
+-- will remain active in case there is no activity in the
+-- session, closing and invalidating the session upon the defined
+-- idle period since the last HTTP request received by the web
+-- application for a given session ID.\"
+-- (<https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Idle_Timeout Source>)
+--
+-- Defaults to 7 days.
+setIdleTimeout :: Maybe DiffTime -> State s -> State s
+setIdleTimeout (Just d) _ | d <= 0 = error "serversession/setIdleTimeout: Timeout should be positive."
+setIdleTimeout val state = state { idleTimeout = val }
+
+
+-- | Set the absolute timeout for all sessions.  This is used both on
+-- the client side (by setting the cookie expires fields) and on
+-- the server side (the absolute timeout is enforced even if the
+-- cookie expiration is ignored).  Setting to @Nothing@ removes
+-- the absolute timeout entirely.
+--
+-- \"[The absolute timeout] defines the maximum amount of time a
+-- session can be active, closing and invalidating the session
+-- upon the defined absolute period since the given session was
+-- initially created by the web application. After invalidating
+-- the session, the user is forced to (re)authenticate again in
+-- the web application and establish a new session.\"
+-- (<https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Absolute_Timeout Source>)
+--
+-- Defaults to 60 days.
+setAbsoluteTimeout :: Maybe DiffTime -> State s -> State s
+setAbsoluteTimeout (Just d) _ | d <= 0 = error "serversession/setAbsoluteTimeout: Timeout should be positive."
+setAbsoluteTimeout val state = state { absoluteTimeout = val }
+
+
 -- | Load the session map from the storage backend.  The value of
 -- the session cookie should be given as argument if present.
 --