Make session cookie expiration configurable in @asgardeo/nextjs SDK

[HasiniSama]

Description

The @asgardeo/nextjs SDK (v0.2.5) currently uses a hardcoded session cookie expiration of 3600 seconds (1 hour). In SessionManager.ts, the getSessionCookieOptions method sets this value using the DEFAULT_EXPIRY_SECONDS constant [1].

As a result, the session cookie expires after one hour regardless of OIDC token validity. The SDK also does not support refresh tokens or sliding sessions, so the session cannot be extended beyond this fixed duration.

It would be useful to make the session expiration configurable or align it with token/session validity, and to consider support for refresh tokens or sliding sessions.

[1]

javascript/packages/nextjs/src/utils/SessionManager.ts

Lines 163 to 177 in a0b8888

	static getSessionCookieOptions(): {
	httpOnly: boolean;
	maxAge: number;
	path: string;
	sameSite: 'lax';
	secure: boolean;
	} {
	return {
	httpOnly: true,
	maxAge: this.DEFAULT_EXPIRY_SECONDS,
	path: '/',
	sameSite: 'lax' as const,
	secure: process.env['NODE_ENV'] === 'production',
	};
	}

Steps to Reproduce

N/A

Please select the area the issue is related to

@asgardeo/nextjs

Version

v0.2.5

Environment Details (with versions)

No response

Reporter Checklist

• I have searched the existing issues and this is not a duplicate.
• I have provided all the necessary information.
• I have tested the issue on the latest version of the package.

[HasiniSama]

Addtional comments -->

Lets check how NextAuth.js handles refresh. Whether they set the refresh token as a HTTP only cookie at the client etc.

Ideal case is we need to document how users can plug in a key value DB like Redis and maintain the session data in the backend.

https://authjs.dev/guides/refresh-token-rotation?_gl=11ntvr4g_gcl_au*NjQwNzYwMDguMTc3NTQ1MzkzOA

[kavindadimuthu]

I like to work on this