Stack of changes to get gin, scs, nosurf running.

internal/platform/session/session.go

@@ -1,6 +1,7 @@
 package session
 
 import (
+	"encoding/gob"
 	"net/http"
 	"time"
 
@@ -10,16 +11,25 @@ import (
 )
 
 func New(cfg config.Config) *scs.SessionManager {
-	lifetime := 12 * time.Hour
+	gob.Register(time.Time{})
+	s := scs.New()
+
+	// Lifetime (absolute max age)
 	if d, err := time.ParseDuration(cfg.Session.Lifetime); err == nil && d > 0 {
-		lifetime = d
+		s.Lifetime = d
+	} else {
+		s.Lifetime = 12 * time.Hour
 	}
 
-	s := scs.New()
-	s.Lifetime = lifetime
-	s.Cookie.Name = cfg.Session.Name
+	// Idle timeout (expire after inactivity)
+	if d, err := time.ParseDuration(cfg.Session.IdleTimeout); err == nil && d > 0 {
+		s.IdleTimeout = d
+	}
+
+	s.Cookie.Name = cfg.Session.CookieName
 	s.Cookie.HttpOnly = true
 	s.Cookie.SameSite = http.SameSiteLaxMode
 	s.Cookie.Secure = cfg.HttpServer.ProductionMode
+
 	return s
 }