~tsileo/microblog.pub#137: 
Login session lifetime

I noticed a few issues with the admin login session:

  • Although session_timeout can be changed in the config, the cookie lifetime is limited to a single browser session, so whenever a browser is restarted, you have to log in again. This is particularly inconvenient on mobile, where the OS tends to unload the browser pretty aggressively.
  • It seems like the cookie is never refreshed after login, which means you'll be forced to re-authenticate after the session_timeout since the login, even if you've been using the app all along. I think it would be better to refresh the cookie regularly to prevent that.

I'd be happy to propose a patch for both issues.

Status
REPORTED
Submitter
~nevkontakte
Assigned to
No-one
Submitted
1 year, 7 months ago
Updated
5 months ago
Labels
No labels applied.

Rodrigo Ghedin 1 year, 7 months ago · edit

How can I change session_timeout in the config? Didn’t find this info in documentation.

~nevkontakte 1 year, 7 months ago

I believe session_timeout = 123 would work, where 123 is the duration in seconds. However, as I described above, that won't buy you much because of the limited cookie lifetime.

~tsileo 1 year, 6 months ago

Hey, I was able to replicate this behavior on Chrome, but for some reason, on Firefox the cookies is still valid after a restart.

I agree that it makes sense to tweak the behavior.

I will add this my todo list, unless you're still up for proposing a patch, let me know!

Thanks!

~chrichri 5 months ago

I might have another request: I'm using micropub-go to post from the command line (didn't get entries to work with my microblog.pub) and it requests a token successfully. On the page confirming the request of the token I'm offered to choose which actions are allowed using that token.

It would be great if I could also choose how long the token is valid.

use case: Let's say I do want to post a series of quotes by a cron job over the next two weeks. The token will never leave the computer that I'm running microblog.pub on, because I'd put the cron job on the same. I'd love to be able to say that the token will be valid for these two weeks.

Register here or Log in to comment, or comment via email.