session_timeout = 123would work, where
123is the duration in seconds. However, as I described above, that won't buy you much because of the limited cookie lifetime.
I noticed a few issues with the admin login session:
session_timeoutcan be changed in the config, the cookie lifetime is limited to a single browser session, so whenever a browser is restarted, you have to log in again. This is particularly inconvenient on mobile, where the OS tends to unload the browser pretty aggressively.
- It seems like the cookie is never refreshed after login, which means you'll be forced to re-authenticate after the
session_timeoutsince the login, even if you've been using the app all along. I think it would be better to refresh the cookie regularly to prevent that.
I'd be happy to propose a patch for both issues.
Currently CSRF token timeout is hard-coded at 1800 seconds. This often becomes inconvenient when I want to perform an action on a page that I loaded a while ago. A couple of typical cases:
- Reading the timeline on a phone is often done in small chunks of time, so I load a page and slowly scroll through it. If I attempt to like something later than half an hour, it fails with a CSRF error. Reloading the page is also not ideal because it loses my reading position.
- Writing any non-trivial post may take longer than 30m, especially if I have to look up/research something.
For myself, I don't see much threat from increasing CSRF lifetime to something on the order of several hours, so I would like to have that option.
I see, that's fair. SQLite it is then. Thanks for a quick response!
It would be nice if microblog.pub allowed using Postgres as a database, instead of SQLite. After a quick glance over the code it doesn't seem like there is anything SQLite-specific about the app, other than the hard-coded database connection string, so maybe it wouldn't be hard to add?
I know that for many SQLite is very convenient for its low setup overhead, but in my case, I already run a Postgres server which a few of my apps use, and I have all necessary infrastructure around it, such as backups, so consolidating all data in one place would simplify some things for me.