From a7cf454760b2d7038e0f0c6f2108ae4b42b4e5ba Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Wed, 8 Feb 2023 14:18:52 +0100
Subject: [PATCH] web/admin: add notice for user_login stage session cookie
 behaviour

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 web/src/admin/stages/user_login/UserLoginStageForm.ts | 10 ++++++++++
 web/src/elements/Tooltip.ts                           |  1 +
 website/docs/flow/stages/user_login.md                |  4 ++++
 3 files changed, 15 insertions(+)

diff --git a/web/src/admin/stages/user_login/UserLoginStageForm.ts b/web/src/admin/stages/user_login/UserLoginStageForm.ts
index 6ccb9ca82..502fe65a0 100644
--- a/web/src/admin/stages/user_login/UserLoginStageForm.ts
+++ b/web/src/admin/stages/user_login/UserLoginStageForm.ts
@@ -1,5 +1,6 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { first } from "@goauthentik/common/utils";
+import "@goauthentik/elements/Alert";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
@@ -70,6 +71,15 @@ export class UserLoginStageForm extends ModelForm<UserLoginStage, string> {
                             ${t`Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed.`}
                         </p>
                         <ak-utils-time-delta-help></ak-utils-time-delta-help>
+                        <ak-alert ?inline=${true}>
+                            ${t`Different browsers handle session cookies differently, and might not remove them even when the browser is closed.`}
+                            <a
+                                href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#expiresdate"
+                                target="_blank"
+                            >
+                                ${t`See here.`}
+                            </a>
+                        </ak-alert>
                     </ak-form-element-horizontal>
                 </div>
             </ak-form-group>
diff --git a/web/src/elements/Tooltip.ts b/web/src/elements/Tooltip.ts
index 67390e854..6fa13137b 100644
--- a/web/src/elements/Tooltip.ts
+++ b/web/src/elements/Tooltip.ts
@@ -26,6 +26,7 @@ export class Tooltip extends AKElement {
                 }
                 .pf-c-tooltip {
                     position: absolute;
+                    z-index: 999;
                 }
             `,
         ];
diff --git a/website/docs/flow/stages/user_login.md b/website/docs/flow/stages/user_login.md
index efe331da5..17bb6da14 100644
--- a/website/docs/flow/stages/user_login.md
+++ b/website/docs/flow/stages/user_login.md
@@ -10,6 +10,10 @@ It can be used after `user_write` during an enrollment flow, or after a `passwor
 
 By default, the authentik session expires when you close your browser (_seconds=0_).
 
+:::warning
+Different browsers handle session cookies differently, and might not remove them even when the browser is closed. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#expiresdate) for more info.
+:::
+
 You can set the session to expire after any duration using the syntax of `hours=1,minutes=2,seconds=3`. The following keys are allowed:
 
 -   Microseconds