~tsileo/microblog.pub#137: 
Login session lifetime

I noticed a few issues with the admin login session:

  • Although session_timeout can be changed in the config, the cookie lifetime is limited to a single browser session, so whenever a browser is restarted, you have to log in again. This is particularly inconvenient on mobile, where the OS tends to unload the browser pretty aggressively.
  • It seems like the cookie is never refreshed after login, which means you'll be forced to re-authenticate after the session_timeout since the login, even if you've been using the app all along. I think it would be better to refresh the cookie regularly to prevent that.

I'd be happy to propose a patch for both issues.

Status
REPORTED
Submitter
~nevkontakte
Assigned to
No-one
Submitted
4 months ago
Updated
3 months ago
Labels
No labels applied.

Rodrigo Ghedin 4 months ago · edit

How can I change session_timeout in the config? Didn’t find this info in documentation.

~nevkontakte 4 months ago

I believe session_timeout = 123 would work, where 123 is the duration in seconds. However, as I described above, that won't buy you much because of the limited cookie lifetime.

~tsileo 3 months ago

Hey, I was able to replicate this behavior on Chrome, but for some reason, on Firefox the cookies is still valid after a restart.

I agree that it makes sense to tweak the behavior.

I will add this my todo list, unless you're still up for proposing a patch, let me know!

Thanks!

Register here or Log in to comment, or comment via email.