Set ttl for hapi-auth-cookie for specific route

Question

I'm trying to create a user login page that has a 'remember me' checkbox. Sounds simple, right?

When the user logs in without the 'remember me' checkbox selected, a default session ttl would be set to 10 seconds (10000 ms). However, if the 'remember me' checkbox is selected, then the ttl would be set to 100000 seconds (100000000 ms).

Skipping all of the authentication of username and password stuff, I've set up this small demo to exemplify my goals. Unfortunately, it seems that the session ttl is ALWAYS 10 seconds, and is never 100000 seconds.

Heres the pastebin for the code below: http://pastebin.com/45bRfxkn

var Hapi   = require('hapi');
var AuthCookie = require('hapi-auth-cookie');

var server = new Hapi.Server('localhost',4000); // make a server

// this function is just for my example, I'll use an actual logger later...
function xhrlog(request){
   var auth = request.auth.isAuthenticated ? "Authenticated" : "Not Authenticated";
   console.log(request.method.toUpperCase()+" request to "+request.path+" is "+auth+".");
}

// this is the handler for the '/' route.  You should start at this route first (it represents the login page)
function firstLoad(request, reply){
   xhrlog(request);
   request.auth.session.set({});
   reply("<p style='color:blue'>click the button to test.</p><input type='button' id='foo' value='click me'></input><script>document.getElementById('foo').addEventListener('click', function(){ window.location = './newLocation'});</script> ");  
}

// this is the page that i would expect to have created a session cookie with a ttl of 100000. But it doesnt.
function authorized(request,reply){
   xhrlog(request);
   reply("<p style='width: 300px;'>This is the authorized page.  I would expect this page to have a session timeout of 100000 seconds.  But it doesnt, it only has 10 seconds.  Keep refreshing to see if you are still alive!</p>");
}

// set up the unauthenticated route here. this is the "login" page.
server.route({
   method:'GET',
   path:'/',
   config: {
      handler: firstLoad
   }
});

server.pack.register(AuthCookie, function(err){

   // set up strategy for the session cookie.  It defaults to 10000 ms
   server.auth.strategy('session', 'cookie', {
      password: 'secret',
      cookie: 'iDontKnowWhatThisIsFor',
      redirectTo: '/',
      isSecure: false,
      ttl: 10000
   });

   // set up the route for the 'remember me' page.  It should have a ttl of 100000000 ms.
   server.route({
      method: 'GET',
      path: '/newLocation',
      config: {
         handler: authorized,
         auth: {
            mode: 'try',
            strategy: 'session'
         },
         plugins: { 'hapi-auth-cookie' : { ttl: 100000000 }}  
      }
   });
});

Answer 1

You can set different ttl values on reply interface. This ttl value overrides the default session cookie's ttl

reply("test").state("session", session, {ttl: 365 * 30 * 7 * 24 * 60 * 60 * 1000});

Answer 2

In case anyone finds themselves here, it appears the answer would be different with the current version of hapi-auth-cookie. I tried using the accepted answer but it would not change the route specific ttl value.

According to the api documentation: request.cookieAuth.ttl(milliseconds) will override the default strategy settings. While not clearly documented you can also pass the value null and have the cookie set to Session in the browser. I was able to successfully override the ttl setting given a similar situation as the original poster.

However, most modern browsers end up saving the cookie due to storing browser tabs etc for reopening. I would recommend setting the ttl to something less than a day if you want to be very certain the cookie will be expired. Not a perfect solution for equivalency to expected behavior of session

See example code snippet:

if (response.login) {
var session = { sid: response.sid};
request.cookieAuth.set(session);
// check if login form had remember me checkbox selected
if(request.payload.remember) {
  return reply.redirect(request.query.next); //uses default strategy ttl setting for cookie
}else{
  request.cookieAuth.ttl(24*60*60*1000); // override ttl to 24 hours
  return reply.redirect(request.query.next);
}
}