Skip to content

docs(handler): document cookie attributes and MaxAge behaviour#576

Draft
github-actions[bot] wants to merge 1 commit into
mainfrom
docs/cookie-helpers-attributes-d5b3eb26aeb631c8
Draft

docs(handler): document cookie attributes and MaxAge behaviour#576
github-actions[bot] wants to merge 1 commit into
mainfrom
docs/cookie-helpers-attributes-d5b3eb26aeb631c8

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Summary

cookies.md previously described the four public cookie helpers but omitted the shared attributes applied to every cookie (Path: "/", HttpOnly: true, SameSite: Strict) and gave no explanation of the MaxAge semantics used by each function.

This was brought into focus by #570, which extracted a private setCookie helper that centralises those static attributes in one place. The documentation now accurately reflects the implementation.

Changes

  • Shared attributes table — lists Path, HttpOnly, SameSite, and Secure for all helpers in one place, removing the need to read the source to know the full cookie shape.
  • SetAuthCookie — session cookie semantics — explicitly documents MaxAge: 0 (session cookie; browser discards on close) and explains why this is the right default for short-lived JWT access tokens.
  • ClearAuthCookie / ClearRefreshCookie — deletion semantics — documents MaxAge: -1 (instructs the browser to delete the cookie immediately).
  • SetRefreshCookie — persistence note — explains that the explicit maxAge parameter allows the refresh cookie to survive browser restarts, and recommends passing RefreshTokenTTL for consistent expiry.
  • Removed inline comments that restated only a partial list of attributes (the table supersedes them).

Verification

All existing cookie function signatures are unchanged; no code was modified. The documentation was cross-checked against handler/helpers.go lines 316–348.

Generated by Update Docs · 381.3 AIC · ⌖ 30 AIC · ⊞ 32.1K ·

Add this agentic workflows to your repo

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/update-docs.md@96b9d4c39aa22359c0b38265927eadb31dcf4e2a

The setCookie helper (extracted in #570) centralises Path, HttpOnly,
SameSite, and Secure for all four public cookie functions.
cookies.md previously omitted these shared attributes and did not
explain the session-cookie semantics of SetAuthCookie (MaxAge: 0) or
the deletion semantics of the Clear* helpers (MaxAge: -1).

- Add a shared-attributes table covering Path, HttpOnly, SameSite, and
  the caller-controlled Secure flag.
- Document SetAuthCookie as a session cookie and explain when to use it.
- Document that Clear* helpers set MaxAge: -1 to delete the cookie.
- Document that SetRefreshCookie accepts an explicit maxAge so the
  cookie persists across browser sessions.
- Remove inline comments that restated only a subset of attributes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions Bot added automation documentation Improvements or additions to documentation labels Jun 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automation documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants