diff --git a/src/actions/time-tracking/field.ts b/src/actions/time-tracking/field.ts index 123608f..ec0e098 100644 --- a/src/actions/time-tracking/field.ts +++ b/src/actions/time-tracking/field.ts @@ -46,7 +46,12 @@ export type TimeTrackingSession = { // ── Cookie helpers ───────────────────────────────────────────────────────── const SESSION_COOKIE = "time_tracking_session"; -const COOKIE_MAX_AGE = 12 * 60 * 60; // 12 hours +// 7 days. The cookie is httpOnly + secure (in prod) + sameSite=lax so +// XSS / cross-site theft are already mitigated; the remaining risk is a +// shared/unlocked device on the field. Workers notice forced re-auth +// more than they notice a longer session, so we keep them signed in for +// a full week. Re-PIN only when the cookie expires or is logged out. +const COOKIE_MAX_AGE = 7 * 24 * 60 * 60; function sessionCookieValue(session: TimeTrackingSession): string { return [