Login session lifetime

I noticed a few issues with the admin login session:

  • Although session_timeout can be changed in the config, the cookie lifetime is limited to a single browser session, so whenever a browser is restarted, you have to log in again. This is particularly inconvenient on mobile, where the OS tends to unload the browser pretty aggressively.
  • It seems like the cookie is never refreshed after login, which means you'll be forced to re-authenticate after the session_timeout since the login, even if you've been using the app all along. I think it would be better to refresh the cookie regularly to prevent that.

I'd be happy to propose a patch for both issues.

Assigned to
1 year, 20 days ago
11 months ago
No labels applied.

Rodrigo Ghedin 1 year, 15 days ago · edit

How can I change session_timeout in the config? Didn’t find this info in documentation.

~nevkontakte 1 year, 15 days ago

I believe session_timeout = 123 would work, where 123 is the duration in seconds. However, as I described above, that won't buy you much because of the limited cookie lifetime.

~tsileo 11 months ago

Hey, I was able to replicate this behavior on Chrome, but for some reason, on Firefox the cookies is still valid after a restart.

I agree that it makes sense to tweak the behavior.

I will add this my todo list, unless you're still up for proposing a patch, let me know!


Register here or Log in to comment, or comment via email.