Summary

Introduction

Currently, both the client side session (see HERE) and the server side session (see HERE) require the max_age parameter to be set (either explicitly or by using the default value). This makes impossible to create session-only cookies - sessions that disappear, when the browser is closed.

Client Side

This is pretty straightforward - the Cookie datastructure already supports max_age being None and it is passed from the session config.
I think only changing the field type in CookieBackendConfig and the post-init validator should suffice

Server Side

This is more complicated, as the max_age not only applies to the cookie but to the store as well. The ServerSideSessionBackend supports setting the expiration to None. The complication is that this way it would be impossible to check for which sessions are stale as the backend does not know whethet the browser has been closed or not.

The solution I can think of is adding an optional field to the config which would allow setting the server-side max_age separately, which would be by default set to the cookie max_age. Something like a session_max_age parameter. It could be also set to None as this is allowed for Stores

But maybe someone will have a better idea?

Basic Example

Client-side

app = Litestar(
    route_handlers=[index],
    middleware=[CookieBackendConfig(secret=secrets.token_bytes(16), max_age=None).middleware]
)

Server-side

redis = Redis()
store = RedisStore(redis)
app = Litestar(
    route_handlers=[index],
    stores={"sessions": store},
    middleware=[ServerSideSessionConfig(max_age=None, session_max_age=1000).middleware],  # or maybe some other way
)

Drawbacks and Impact

No response

Unresolved questions

No response