Comment by ~nevkontakte on ~tsileo/microblog.pub
Thank you!
Comment by ~nevkontakte on ~tsileo/microblog.pub
I believe
session_timeout = 123
would work, where123
is the duration in seconds. However, as I described above, that won't buy you much because of the limited cookie lifetime.
Ticket created by ~nevkontakte on ~tsileo/microblog.pub
I noticed a few issues with the admin login session:
- Although
session_timeout
can be changed in the config, the cookie lifetime is limited to a single browser session, so whenever a browser is restarted, you have to log in again. This is particularly inconvenient on mobile, where the OS tends to unload the browser pretty aggressively.- It seems like the cookie is never refreshed after login, which means you'll be forced to re-authenticate after the
session_timeout
since the login, even if you've been using the app all along. I think it would be better to refresh the cookie regularly to prevent that.I'd be happy to propose a patch for both issues.
Ticket created by ~nevkontakte on ~tsileo/microblog.pub
Currently CSRF token timeout is hard-coded at 1800 seconds. This often becomes inconvenient when I want to perform an action on a page that I loaded a while ago. A couple of typical cases:
- Reading the timeline on a phone is often done in small chunks of time, so I load a page and slowly scroll through it. If I attempt to like something later than half an hour, it fails with a CSRF error. Reloading the page is also not ideal because it loses my reading position.
- Writing any non-trivial post may take longer than 30m, especially if I have to look up/research something.
For myself, I don't see much threat from increasing CSRF lifetime to something on the order of several hours, so I would like to have that option.
Comment by ~nevkontakte on ~tsileo/microblog.pub
I see, that's fair. SQLite it is then. Thanks for a quick response!
Ticket created by ~nevkontakte on ~tsileo/microblog.pub
It would be nice if microblog.pub allowed using Postgres as a database, instead of SQLite. After a quick glance over the code it doesn't seem like there is anything SQLite-specific about the app, other than the hard-coded database connection string, so maybe it wouldn't be hard to add?
I know that for many SQLite is very convenient for its low setup overhead, but in my case, I already run a Postgres server which a few of my apps use, and I have all necessary infrastructure around it, such as backups, so consolidating all data in one place would simplify some things for me.
Thanks!