darkbluellc · ddbruce · Jan 3, 2026 · Oct 25, 2025 · Oct 25, 2025 · Oct 25, 2025
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "fullsend",
-  "version": "1.8.0",
+  "version": "1.8.1",
   "description": "Fullsend allows allowed users to send bulk text messages to groups of recipients",
   "main": "server.js",
   "scripts": {

diff --git a/public/help.html b/public/help.html
@@ -63,6 +63,10 @@ <h1>Fullsend</h1>
         <div class="row mt-5">
             <div class="col">
                 <h2>Changelog</h2><br>
+                <h3>v1.8.1</h3>
+                <p>
+                    Fixes how sessions are handled on the user's side.
+                </p>
                 <h3>v1.8.0</h3>
                 <p>
                     Adds (finally!) authentication via OpenID Connect (OIDC) and Keycloak. Users must have the <code>fullsend_access</code> role in Keycloak to use the application and <code>fullsend_admin</code> to administer it.

diff --git a/server.js b/server.js
@@ -31,11 +31,20 @@ const pool = mariadb.createPool({
 const PORT = process.env.PORT || 8080;
 
 // Session middleware (required for server-side login flow)
+// Configure cookie maxAge from env (seconds) and enable rolling so the cookie
+// expiration is refreshed on each response. Defaults to 7 days.
+const sessionMaxAgeSeconds = parseInt(process.env.SESSION_MAX_AGE || '604800', 10); // 7 days
 app.use(session({
   secret: process.env.SESSION_SECRET || 'a very long secret',
   resave: false,
   saveUninitialized: false,
-  cookie: { secure: false }, // set secure: true if using HTTPS
+  rolling: true, // refresh cookie expiration on every response
+  cookie: {
+    secure: (process.env.NODE_ENV === 'production'), // set to true in prod when using HTTPS
+    httpOnly: true,
+    sameSite: 'lax',
+    maxAge: sessionMaxAgeSeconds * 1000,
+  },
 }));
 
 // Initialize OIDC discovery (will be awaited before server starts)