Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce lifetime of remember me sessions #136

Open
clarkwinkelmann opened this issue Mar 4, 2021 · 6 comments
Open

Reduce lifetime of remember me sessions #136

clarkwinkelmann opened this issue Mar 4, 2021 · 6 comments
Labels
org/keep

Comments

@clarkwinkelmann
Copy link
Member

This is a meta discussion somewhat related to the changes introduced in flarum/framework#2651

Due to the garbage collector issue flarum/framework#2075 the session duration was never properly enforced, so most people probably have no idea of the default lifetimes we backed in.

Basically the current remember session duration is as follows:

  • The token expires 5 years after the last activity
  • The cookie expires 5 years after login

Disregarding the mismatch between the two, I think 5 years is too long. It makes no sense to keep a session active that long without any activity.

I would suggest we scale it down to a value somewhere between 3 months and a year.

As we make it shorter, the need to fix the mismatch between database and cookie will become more important. I'm suggesting we do something similar to cookies where a middleware checks if the session's token is a remember token, and sets the cookie again with a new expiration on every request. Prior to the access token refactor this wasn't very easy, but now it will be something relatively easy to implement.
@stale
Copy link

stale bot commented Jun 3, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We do this to keep the amount of open issues to a manageable minimum.
In any case, thanks for taking an interest in this software and contributing by opening the issue in the first place!

@stale stale bot added the stale label Jun 3, 2021
@clarkwinkelmann
Copy link
Member Author

I think we should discuss/vote on this during our next meeting to decide if we want to change it. Then the issue can either be closed if we don't change anything, or updated to describe the exact timeouts we decide to implement.

@stale stale bot removed the stale label Jun 4, 2021
@davwheat
Copy link
Member

davwheat commented Jun 4, 2021

I'll stick my opinion here in case I can't make it or I forget for some reason:

I think we should let users/admins decide.

A list of options on the admin page that can be selected for users to choose from, or a forced session time instead. Users can change the "remember me" session expiry via a setting on their amount.

We'd have to make sure this all plays nicely with 3rd party login systems.

@clarkwinkelmann
Copy link
Member Author

I think we should let users/admins decide.

We could make this configurable via config.php, like the normal session lifetime.

Because of the way tokens have been refactored in my previous PRs, the lifetime can no longer be customized per-user or per-token. All remember me token need to have the same lifetime.

@davwheat
Copy link
Member

davwheat commented Jun 4, 2021

In that case, I agree that we should make them configurable. Config file sounds good -- its not something that needs to be changed often enough to warrant it being easily modified in the dashboard.

@SychO9
Copy link
Member

SychO9 commented Jun 5, 2021

I agree with making it configurable while changing the default to the suggested

somewhere between 3 months and a year

@askvortsov1 askvortsov1 transferred this issue from flarum/framework Mar 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
org/keep
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@clarkwinkelmann @davwheat @SychO9