Add docs on Cookie length limitations (#1700)

Co-authored-by: victoria <[email protected]>
clerk · Nov 14, 2024 · ec0c475 · ec0c475
1 parent e385501
commit ec0c475
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/docs/authentication/configuration/session-options.mdx b/docs/authentication/configuration/session-options.mdx
@@ -29,6 +29,9 @@ By default, the inactivity timeout is set to 7 days. You can set a custom inacti
 1. Toggle on **Inactivity timeout**.
 1. Set your desired duration.
 
+> [!NOTE]
+> You should be aware of [browser limitations](#browser-limitations-on-cookies), which may cause users to be signed out before the configured inactivity timeout.
+
 ### Maximum lifetime
 
 The duration after which a session will expire and the user will have to sign in again, regardless of their activity on your site.
@@ -41,7 +44,21 @@ By default, this setting is enabled with a default value of 7 days for all newly
 1. Set your desired duration.
 
 > [!NOTE]
-> Safari will clear Clerk's session cookie every 7 days as an effect of their [CNAME cloaking ITP policy](https://webkit.org/blog/11338/cname-cloaking-and-bounce-tracking-defense/). This will cause users to be signed out weekly, even if session lifetime is set to a longer duration. The only current workaround to this issue is to [proxy FAPI](/docs/advanced-usage/using-proxies).
+> You should be aware of [browser limitations](#browser-limitations-on-cookies), which may cause users to be signed out before the configured maximum lifetime.
+
+## Browser limitations on cookies
+
+Regardless of how [session lifetimes](#session-lifetime) are configured, there are certain browser limitations & behaviors which may clear Clerk's session cookie. This will cause users to be signed out, even if your session lifetimes are set to a longer duration. As a result, it is impossible to achieve a setup where your users are never signed out.
+
+### User behaviors
+
+In the event that a user manually clears their cookies, Clerk's session cookie will be lost. Similarly, if a user signs in via an incognito window and they then close all incognito windows, Clerk's session cookie will be lost. Both of these scenarios will cause the user to have to sign in again.
+
+### Google Chrome
+
+Cookies set in Google Chrome have a `Max-Age` upper limit of [400 days](https://developer.chrome.com/blog/cookie-max-age-expires). Users who are using Google Chrome will be signed out within 400 days, even if session lifetime is set to a longer duration. There is no workaround for this.
+
+This is per the [HTTP Working Group Specification](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#section-5.5) which is likely to get implemented by other browsers in the near future.
 
 ## Multi-session applications