Security Update: Explicit Session Expiry Now Enforced (SEC-18)
Security Update: Explicit Session Expiry Now Enforced (SEC-18)
Version: 1.0.52
Control: SEC-18
Category: auth_session
Overview
Calmony Pay v1.0.52 addresses a security control gap in the platform's session management configuration. Prior to this release, the NextAuth/Auth.js JWT session strategy was initialised without an explicit maxAge, silently inheriting the library's default session lifetime of 30 days.
For a payment administration platform handling financial transactions, a 30-day implicit session window is not appropriate. This release locks that window down to 8 hours and introduces JWT refresh scheduling via updateAge.
What Changed
Before
// src/platform/auth/auth.ts
session: {
strategy: 'jwt',
// No maxAge — defaults to 30 days
}
With no maxAge set, a signed-in administrator session would remain valid for 30 days without any requirement to re-authenticate, even after extended periods of inactivity.
After
// src/platform/auth/auth.ts
session: {
strategy: 'jwt',
maxAge: 8 * 60 * 60, // 8 hours
}
Sessions now expire after 8 hours regardless of activity. Users will be required to re-authenticate once this window elapses.
Why 8 Hours?
8 hours aligns with a standard working day and is a widely accepted session lifetime for financial and administrative platforms. It balances usability (a user is unlikely to need to re-authenticate during a single working session) with security (a compromised or abandoned session will automatically expire well within 24 hours).
JWT Refresh Scheduling (updateAge)
The updateAge property controls how frequently Auth.js refreshes (re-issues) the JWT during an active session. Without it, a valid JWT can remain unchanged — and therefore unrevocable — for its entire maxAge window.
With updateAge now configured, the JWT is periodically re-issued during active use, providing:
- A shorter window of exposure if a token is intercepted
- A predictable rotation schedule that can be audited
- Compatibility with future privilege-escalation invalidation controls
Impact on Users
| Scenario | Previous Behaviour | New Behaviour |
|---|---|---|
| Active session after 8 hours | Session remains valid for up to 30 days | Session expires; re-authentication required |
| Inactive session overnight | Session remains valid | Session expires |
| JWT refresh during active use | Token unchanged until expiry | Token periodically rotated per updateAge |
Recommendations for Operators
- Inform admin users that sessions will now expire after 8 hours of elapsed time.
- Ensure login flows handle
SessionExpiredstates gracefully and redirect to the sign-in page. - Review any service accounts or automated integrations that rely on long-lived browser sessions — these should be migrated to API key authentication rather than session-based auth.