Login session lifetime

I noticed a few issues with the admin login session:

  • Although session_timeout can be changed in the config, the cookie lifetime is limited to a single browser session, so whenever a browser is restarted, you have to log in again. This is particularly inconvenient on mobile, where the OS tends to unload the browser pretty aggressively.
  • It seems like the cookie is never refreshed after login, which means you'll be forced to re-authenticate after the session_timeout since the login, even if you've been using the app all along. I think it would be better to refresh the cookie regularly to prevent that.

I'd be happy to propose a patch for both issues.

Assigned to
27 days ago
22 days ago
No labels applied.

Rodrigo Ghedin 22 days ago · edit

How can I change session_timeout in the config? Didn’t find this info in documentation.

~nevkontakte 22 days ago

I believe session_timeout = 123 would work, where 123 is the duration in seconds. However, as I described above, that won't buy you much because of the limited cookie lifetime.

Register here or Log in to comment, or comment via email.