hypothesis · seanh · Sep 19, 2024 · Sep 19, 2024
diff --git a/h/security/policy/top_level.py b/h/security/policy/top_level.py
@@ -1,3 +1,5 @@
+from datetime import timedelta
+
 import webob
 from pyramid.request import RequestLocalCache
 from pyramid.security import Allowed, Denied
@@ -10,7 +12,7 @@
 from h.security.policy._cookie import CookiePolicy
 from h.security.policy.helpers import AuthTicketCookieHelper, is_api_request
 
-HTML_AUTHCOOKIE_MAX_AGE = 30 * 24 * 3600  # 30 days.
+HTML_AUTHCOOKIE_MAX_AGE = int(timedelta(days=365).total_seconds())
 
 
 class TopLevelPolicy:
@@ -55,7 +57,7 @@ def get_subpolicy(request):
         # Make the API authcookie stay fresh for longer than the HTML one.
         # This is to make it less likely that a browser will have an unexpired HTML
         # authcookie but an expired API one, which can lead to confusing results.
-        max_age=HTML_AUTHCOOKIE_MAX_AGE + 3600,
+        max_age=HTML_AUTHCOOKIE_MAX_AGE + int(timedelta(hours=1).total_seconds()),
     )
     api_authcookie = api_authcookie.bind(request)
 

diff --git a/h/services/auth_ticket.py b/h/services/auth_ticket.py
@@ -6,7 +6,7 @@
 
 
 class AuthTicketService:
-    TICKET_TTL = timedelta(days=7)
+    TICKET_TTL = timedelta(days=90)
 
     # We only want to update the `expires` column when the tickets `expires` is
     # at least one minute smaller than the potential new value. This prevents

diff --git a/h/session.py b/h/session.py
@@ -1,3 +1,4 @@
+from datetime import timedelta
 from urllib.parse import urlparse
 
 from pyramid.csrf import SessionCSRFStoragePolicy
@@ -126,7 +127,7 @@ def includeme(config):  # pragma: no cover
         #
         # To avoid this we make sure that the lifetime of CSRF tokens is always
         # longer than the lifetimes of auth cookies.
-        timeout=HTML_AUTHCOOKIE_MAX_AGE + 3600,
+        timeout=HTML_AUTHCOOKIE_MAX_AGE + int(timedelta(hours=1).total_seconds()),
     )
     config.set_session_factory(factory)
     config.set_csrf_storage_policy(SessionCSRFStoragePolicy())
diff --git a/tests/unit/h/security/policy/top_level_test.py b/tests/unit/h/security/policy/top_level_test.py
@@ -90,7 +90,7 @@ def test_api_request(
                 secret="test_h_api_auth_cookie_secret",
                 salt="test_h_api_auth_cookie_salt",
                 cookie_name="h_api_authcookie",
-                max_age=2595600,
+                max_age=31539600,
                 httponly=True,
                 secure=True,
                 samesite="strict",
@@ -99,7 +99,7 @@ def test_api_request(
                 secret="test_h_auth_cookie_secret",
                 salt="authsanity",
                 cookie_name="auth",
-                max_age=2592000,
+                max_age=31536000,
                 httponly=True,
                 secure=True,
             ),
@@ -147,7 +147,7 @@ def test_non_api_request(
                 secret="test_h_api_auth_cookie_secret",
                 salt="test_h_api_auth_cookie_salt",
                 cookie_name="h_api_authcookie",
-                max_age=2595600,
+                max_age=31539600,
                 httponly=True,
                 secure=True,
                 samesite="strict",
@@ -156,7 +156,7 @@ def test_non_api_request(
                 secret="test_h_auth_cookie_secret",
                 salt="authsanity",
                 cookie_name="auth",
-                max_age=2592000,
+                max_age=31536000,
                 httponly=True,
                 secure=True,
             ),