From 5aa2a52526f13dd807b33590a6958e2f3b8c5541 Mon Sep 17 00:00:00 2001
From: Mathijs de Bruin <mathijs@mathijsfietst.nl>
Date: Wed, 18 Feb 2026 15:22:16 +0000
Subject: [PATCH 1/2] feat: Make state cookie lifetime configurable via
 CHAINLIT_STATE_COOKIE_LIFETIME env var

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/chainlit/auth/cookie.py   |  4 +++-
 backend/tests/auth/test_cookie.py | 17 +++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/backend/chainlit/auth/cookie.py b/backend/chainlit/auth/cookie.py
index 755ac5017c..1cb4cc5ace 100644
--- a/backend/chainlit/auth/cookie.py
+++ b/backend/chainlit/auth/cookie.py
@@ -27,7 +27,9 @@
     _cookie_path = os.environ.get(_cookie_root_path, "/")
 else:
     _cookie_path = os.environ.get("CHAINLIT_AUTH_COOKIE_PATH", "/")
-_state_cookie_lifetime = 3 * 60  # 3m
+_state_cookie_lifetime = int(
+    os.environ.get("CHAINLIT_STATE_COOKIE_LIFETIME", str(3 * 60))
+)
 _auth_cookie_name = os.environ.get("CHAINLIT_AUTH_COOKIE_NAME", "access_token")
 _state_cookie_name = "oauth_state"
 
diff --git a/backend/tests/auth/test_cookie.py b/backend/tests/auth/test_cookie.py
index 7f1e7a0233..5f5c3848a5 100644
--- a/backend/tests/auth/test_cookie.py
+++ b/backend/tests/auth/test_cookie.py
@@ -1,9 +1,12 @@
+import importlib
+
 import pytest
 from fastapi import FastAPI, Form
 from fastapi.testclient import TestClient
 from starlette.requests import Request
 from starlette.responses import Response
 
+import chainlit.auth.cookie as cookie_module
 from chainlit.auth import (
     clear_auth_cookie,
     get_token_from_cookies,
@@ -130,6 +133,20 @@ def test_overwrite_shorter_token_unchunked(client):
     assert len(chunk_cookies) == 0, f"Found {len(chunk_cookies)} residual cookies"
 
 
+def test_state_cookie_lifetime_default(monkeypatch):
+    """Test that _state_cookie_lifetime defaults to 180 seconds (3 minutes)."""
+    monkeypatch.delenv("CHAINLIT_STATE_COOKIE_LIFETIME", raising=False)
+    importlib.reload(cookie_module)
+    assert cookie_module._state_cookie_lifetime == 180
+
+
+def test_state_cookie_lifetime_custom(monkeypatch):
+    """Test that _state_cookie_lifetime can be set via environment variable."""
+    monkeypatch.setenv("CHAINLIT_STATE_COOKIE_LIFETIME", "600")
+    importlib.reload(cookie_module)
+    assert cookie_module._state_cookie_lifetime == 600
+
+
 def test_clear_auth_cookie(client):
     """Test cookie clearing removes all chunks."""
     # Set initial token

From 79cf406d96438f19b7067376fc6a07cb930a861d Mon Sep 17 00:00:00 2001
From: Mathijs de Bruin <mathijs@mathijsfietst.nl>
Date: Wed, 18 Feb 2026 16:07:57 +0000
Subject: [PATCH 2/2] Fix error with changed-files in CI.

---
 .github/workflows/lint-backend.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lint-backend.yaml b/.github/workflows/lint-backend.yaml
index e6628819a6..481db5f32e 100644
--- a/.github/workflows/lint-backend.yaml
+++ b/.github/workflows/lint-backend.yaml
@@ -10,7 +10,7 @@ jobs:
     env:
       BACKEND_DIR: ./backend
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: ./.github/actions/uv-python-install
         name: Install Python, uv and Python dependencies
         with: