Cookies & sessions

Server-side session semantics: signed session cookie + encrypted token payload. All secrets stay on the server.

Session cookie (`session-cookie`)

Function	Description
`getAuthSessionSecret()`	Reads `AUTH_SESSION_SECRET` from env
`isAuthSessionSecretStrong(secret)`	Validates entropy/length
`createSignedAuthSession(payload, expiresAt)`	HMAC-signed session blob
`verifySignedAuthSession(value)`	Verify + parse or `null`
`getAuthSessionCookieName()`	HttpOnly session cookie name
`getAuthSessionCookieOptions(expiresAt)`	`Set-Cookie` options (Secure, SameSite, …)
`getExpiredAuthSessionCookieOptions()`	Clear session cookie

Import path: @sumx/ssr-auth-core/session-cookie or barrel.

Stores encrypted access/refresh/id token material for BFF refresh.

Function	Description
`createEncryptedAuthTokenSession(payload, expiresAt)`	Encrypt tokens for cookie
`decryptAuthTokenSession(value)`	Decrypt or `null`
`getAuthTokenCookieName()`	Token cookie name
`getAuthTokenCookieOptions` / `getExpiredAuthTokenCookieOptions`	Set / clear headers

Type: ServerTokenCookiePayload (access, refresh, id tokens, expiry metadata).

Export	Description
`ROLLING_AUTH_SESSION_TTL_SECONDS`	Default 7-day rolling TTL
`getRollingSessionExpiresAt(now?)`	Expiry timestamp
`buildAuthenticatedSessionCookieHeaders({...})`	Set session + token + `isLoggedIn`
`buildExpiredSessionCookieHeaders()`	Clear all auth cookies

Used by API route handlers after successful OIDC verification.

Variable	Required	Notes
`AUTH_SESSION_SECRET`	Yes (prod)	Signs session cookie; use long random secret
Token encryption	Host-specific	Configured inside `server-token-cookie` (portal env)

Never expose refresh tokens to localStorage in new flows.
Cookie flags follow existing SumX patterns: HttpOnly, Secure in production, SameSite as configured in kit.
Client may read isLoggedIn only; tokens remain server-side.