The Firebase Admin SDK enforces session cookies to last between five minutes and two weeks, so creating a session cookie with a shorter or longer duration fails with this error and prevents the login endpoint from issuing authenticated cookies.
Firebase session cookies are minted by calling createSessionCookie() after a client sends an ID token to a trusted endpoint. The Admin SDK validates the expiresIn value and the documentation only allows durations between 5 minutes and 2 weeks (in milliseconds). Passing a value outside this window—missing the option entirely, using the wrong units, or setting zero/negative values—triggers auth/invalid-session-cookie-duration before the cookie is created.
The Admin SDK expects expiresIn in milliseconds and enforces a minimum of 5 minutes and maximum of 14 days. Normalize the requested duration before calling createSessionCookie():
const MIN_SESSION_LENGTH = 5 * 60 * 1000; // 5 minutes
const MAX_SESSION_LENGTH = 14 * 24 * 60 * 60 * 1000; // 2 weeks
const requestedDuration = Number(req.body.durationMs ?? MIN_SESSION_LENGTH);
if (!Number.isFinite(requestedDuration)) {
throw new Error('Missing or invalid session duration');
}
const expiresIn = Math.min(Math.max(requestedDuration, MIN_SESSION_LENGTH), MAX_SESSION_LENGTH);
const sessionCookie = await admin
.auth()
.createSessionCookie(idToken, { expiresIn });If you are mapping a TTL from configuration or a user preference, always document the units and parse them safely:
const MIN_SESSION_LENGTH = 5 * 60 * 1000;
const MAX_SESSION_LENGTH = 14 * 24 * 60 * 60 * 1000;
const fallbackDurationMs = 24 * 60 * 60 * 1000; // 1 day
const rawDuration = req.body.durationMs ?? fallbackDurationMs;
const parsed = parseInt(rawDuration.toString(), 10);
const durationMs = Number.isNaN(parsed) ? fallbackDurationMs : parsed;
if (durationMs < MIN_SESSION_LENGTH || durationMs > MAX_SESSION_LENGTH) {
throw new Error('Session duration must stay within Firebase limits');
}Picking the wrong unit (seconds instead of milliseconds) or passing undefined will keep the duration outside the allowed window and Firebase will return auth/invalid-session-cookie-duration every time.
Once expiresIn is valid, set the cookie maxAge to the same value so the browser cookie expires when the session cookie does:
const sessionCookie = await admin
.auth()
.createSessionCookie(idToken, { expiresIn });
res.cookie('session', sessionCookie, {
maxAge: expiresIn,
httpOnly: true,
secure: true,
sameSite: 'lax',
});Recording the actual expiresIn in logs (and optionally in telemetry) helps you spot when a configuration drift pushes the duration outside 5 min–2 weeks, leading to reproducible alerting instead of a mysterious 401.
Firebase spotlights the Manage Session Cookies guide when you implement server-side sessions: set expiresIn in milliseconds, protect your endpoint from CSRF, and keep the cookie lifetime between five minutes and fourteen days as documented in the official session cookie guide.
messaging/UNSPECIFIED_ERROR: No additional information available
How to fix "messaging/UNSPECIFIED_ERROR: No additional information available" in Firebase Cloud Messaging
App Check: reCAPTCHA Score Too Low
App Check reCAPTCHA Score Too Low
storage/invalid-url: Invalid URL format for Cloud Storage reference
How to fix invalid URL format in Firebase Cloud Storage
auth/missing-uid: User ID identifier required
How to fix "auth/missing-uid: User ID identifier required" in Firebase
auth/invalid-argument: Invalid parameter passed to method
How to fix "auth/invalid-argument: Invalid parameter passed to method" in Firebase