diff --git a/.github/workflows/lint-backend.yaml b/.github/workflows/lint-backend.yaml
index e6628819a6..481db5f32e 100644
--- a/.github/workflows/lint-backend.yaml
+++ b/.github/workflows/lint-backend.yaml
@@ -10,7 +10,7 @@ jobs:
     env:
       BACKEND_DIR: ./backend
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: ./.github/actions/uv-python-install
         name: Install Python, uv and Python dependencies
         with:
diff --git a/backend/chainlit/auth/cookie.py b/backend/chainlit/auth/cookie.py
index 755ac5017c..1cb4cc5ace 100644
--- a/backend/chainlit/auth/cookie.py
+++ b/backend/chainlit/auth/cookie.py
@@ -27,7 +27,9 @@
     _cookie_path = os.environ.get(_cookie_root_path, "/")
 else:
     _cookie_path = os.environ.get("CHAINLIT_AUTH_COOKIE_PATH", "/")
-_state_cookie_lifetime = 3 * 60  # 3m
+_state_cookie_lifetime = int(
+    os.environ.get("CHAINLIT_STATE_COOKIE_LIFETIME", str(3 * 60))
+)
 _auth_cookie_name = os.environ.get("CHAINLIT_AUTH_COOKIE_NAME", "access_token")
 _state_cookie_name = "oauth_state"
 
diff --git a/backend/tests/auth/test_cookie.py b/backend/tests/auth/test_cookie.py
index 7f1e7a0233..5f5c3848a5 100644
--- a/backend/tests/auth/test_cookie.py
+++ b/backend/tests/auth/test_cookie.py
@@ -1,9 +1,12 @@
+import importlib
+
 import pytest
 from fastapi import FastAPI, Form
 from fastapi.testclient import TestClient
 from starlette.requests import Request
 from starlette.responses import Response
 
+import chainlit.auth.cookie as cookie_module
 from chainlit.auth import (
     clear_auth_cookie,
     get_token_from_cookies,
@@ -130,6 +133,20 @@ def test_overwrite_shorter_token_unchunked(client):
     assert len(chunk_cookies) == 0, f"Found {len(chunk_cookies)} residual cookies"
 
 
+def test_state_cookie_lifetime_default(monkeypatch):
+    """Test that _state_cookie_lifetime defaults to 180 seconds (3 minutes)."""
+    monkeypatch.delenv("CHAINLIT_STATE_COOKIE_LIFETIME", raising=False)
+    importlib.reload(cookie_module)
+    assert cookie_module._state_cookie_lifetime == 180
+
+
+def test_state_cookie_lifetime_custom(monkeypatch):
+    """Test that _state_cookie_lifetime can be set via environment variable."""
+    monkeypatch.setenv("CHAINLIT_STATE_COOKIE_LIFETIME", "600")
+    importlib.reload(cookie_module)
+    assert cookie_module._state_cookie_lifetime == 600
+
+
 def test_clear_auth_cookie(client):
     """Test cookie clearing removes all chunks."""
     # Set initial token