Merge branch 'main' into je.orgs-for-users-guide

clerk · Nov 14, 2024 · 2653bd3 · 2653bd3
2 parents eb19c0f + 2da96f1
commit 2653bd3
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 7 deletions.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,16 +1,18 @@
-<!--- Add the "deploy-preview" label and add your page previews here -->
-
 > [!IMPORTANT]
 > 🔎 Previews:
 >
 > -
 
-<!--- Describe your changes in detail. Why does this change need to happen? Include any links to Slack discussions, Linear comments, etc. -->
-
 ### Explanation:
 
-<!--- How does this PR solve the problem? -->
+- <!--- Describe your changes in detail. Why does this change need to happen? Include any links to Slack discussions, Linear comments, etc. -->
 
 ### This PR:
 
--
+- <!--- How does this PR solve the problem? -->
+
+### Checklist
+
+- [ ] I have clicked on "Files changed" and performed a thorough self-review
+- [ ] I have added the "deploy-preview" label and added the preview link(s) to this PR description
+- [ ] All existing checks pass
diff --git a/docs/authentication/configuration/session-options.mdx b/docs/authentication/configuration/session-options.mdx
@@ -29,6 +29,9 @@ By default, the inactivity timeout is set to 7 days. You can set a custom inacti
 1. Toggle on **Inactivity timeout**.
 1. Set your desired duration.
 
+> [!NOTE]
+> You should be aware of [browser limitations](#browser-limitations-on-cookies), which may cause users to be signed out before the configured inactivity timeout.
+
 ### Maximum lifetime
 
 The duration after which a session will expire and the user will have to sign in again, regardless of their activity on your site.
@@ -41,7 +44,21 @@ By default, this setting is enabled with a default value of 7 days for all newly
 1. Set your desired duration.
 
 > [!NOTE]
-> Safari will clear Clerk's session cookie every 7 days as an effect of their [CNAME cloaking ITP policy](https://webkit.org/blog/11338/cname-cloaking-and-bounce-tracking-defense/). This will cause users to be signed out weekly, even if session lifetime is set to a longer duration. The only current workaround to this issue is to [proxy FAPI](/docs/advanced-usage/using-proxies).
+> You should be aware of [browser limitations](#browser-limitations-on-cookies), which may cause users to be signed out before the configured maximum lifetime.
+
+## Browser limitations on cookies
+
+Regardless of how [session lifetimes](#session-lifetime) are configured, there are certain browser limitations & behaviors which may clear Clerk's session cookie. This will cause users to be signed out, even if your session lifetimes are set to a longer duration. As a result, it is impossible to achieve a setup where your users are never signed out.
+
+### User behaviors
+
+In the event that a user manually clears their cookies, Clerk's session cookie will be lost. Similarly, if a user signs in via an incognito window and they then close all incognito windows, Clerk's session cookie will be lost. Both of these scenarios will cause the user to have to sign in again.
+
+### Google Chrome
+
+Cookies set in Google Chrome have a `Max-Age` upper limit of [400 days](https://developer.chrome.com/blog/cookie-max-age-expires). Users who are using Google Chrome will be signed out within 400 days, even if session lifetime is set to a longer duration. There is no workaround for this.
+
+This is per the [HTTP Working Group Specification](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#section-5.5) which is likely to get implemented by other browsers in the near future.
 
 ## Multi-session applications