Use session expiration for all authentication cookies (#18269)

Closes #18180

Author: ewdurbin

tests/unit/test_sessions.py

@@ -563,7 +563,7 @@ def test_invalidated_deletes_save_non_secure(self, monkeypatch, pyramid_request)
         pyramid_request.session.should_save = pretend.call_recorder(lambda: True)
         response = pretend.stub(
             set_cookie=pretend.call_recorder(
-                lambda cookie, data, max_age, httponly, secure, samesite: None
+                lambda cookie, data, httponly=False, secure=True, samesite=b"none": None
             )
         )
         session_factory._process_response(pyramid_request, response)
@@ -589,7 +589,6 @@ def test_invalidated_deletes_save_non_secure(self, monkeypatch, pyramid_request)
             pretend.call(
                 "session_id",
                 "cookie data",
-                max_age=12 * 60 * 60,
                 httponly=True,
                 secure=False,
                 samesite=b"lax",

warehouse/sessions.py

@@ -301,10 +301,16 @@ def _process_response(self, request, response):
             )
 
             # Send our session cookie to the client
+            # NOTE: The lack of a max_age here. This sends the cookie with:
+            #  > Expires: Session
+            # This will allow effectively allow the cookie to live indefinitely,
+            # as long as the user has interacted with the session _before_ the
+            # session key expieres in redis.
+            # Once the session key has expired in redis, the session will be marked
+            # as invalid and will not authenticate the account.
             response.set_cookie(
                 self.cookie_name,
                 self.signer.sign(request.session.sid.encode("utf8")),
-                max_age=self.max_age,
                 httponly=True,
                 secure=request.scheme == "https",
                 samesite=b"lax",