Expire inactive sessions, optionally allow to stay signed in #82
Labels
No Label
integration
discourse
integration
ejabberd
integration
ldap
integration
lndhub
integration
nostr
bug
design
dev environment
docs
duplicate
enhancement
feature
good first issue
idea
invalid
kredits-1
kredits-2
kredits-3
on hold
ops
question
release
major
release
minor
release
patch
security
ui/ux
wontfix
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: kosmos/akkounts#82
Loading…
Reference in New Issue
No description provided.
Delete Branch "feature/8-session_timeouts"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
When "remember me" is checked, keep user logged in for two weeks after last activity. Otherwise, expire the session after 30 minutes.
closes #8
@ -6,1 +6,4 @@
connect() {
// Devise timeoutable ends up adding a second flash message without content
// TODO investigate bug
if (this.element.textContent.trim() == "true") return;
so the content has the value "true"?
Yeah, for that unexpected additional flash message. I figured it's OK to hotfix like this, since no message should ever just say "true".
@ -230,3 +230,3 @@
# The time you want to timeout the user session without activity. After this
# time the user will be asked for credentials again. Default is 30 minutes.
# config.timeout_in = 30.minutes
config.timeout_in = 24.hours
I tend to have this number higher these days.
What timeout would you propose?
(Keep in mind that this is the central account management app, where you can potentially take over a lot of services if you're able to access an active browser session.)
@bumi Did you see my question here?
yeah, not sure... it's always the balance between convenience that I don't have to login again and some "security" in case a user uses a "public" computer.
but yeah, leave it to a day. if the user does not visit the site again after a day they have to login again.
Since I also wasn't quite happy with forcing the tradeoff this way, I have overhauled the sign-in form and added a remember-me button, using our new toggle switch component and Devise's Rememberable strategy. So now it's better both ways: expiring faster when needed, and staying logged in when the user thinks it's safe.
Updated PR description and added a screenshot.
@bumi I'll wait for last review and approval before merging.
344e4e5bcc
toa8a8fba14c
Add time limit for inactive sessionsto Expire inactive sessions, optionally allow to stay signed in