So I love this little app a lot, but one of the few things that's been bugging me is session expiration - both the fact that you can only have one active session at a time (so if I log in on my phone, my desktop session goes away), and that sessions expire after twelve hours regardless. The session expiration is easy enough to tweak without any major changes, but multi-session support is a little more complex.
I'm happy to do the code work needed, but figured I should open up discussion before diving in. The simplest, slightly hacky solution, would be to store multiple session tokens server-side, and iterate through them. A slightly nicer option would be something like https://fastapi-login.readthedocs.io/ (though I need to check if it supports multiple sessions). There may be other packages providing similar functionality, too.
The session expiration could easily be increased, right now it's set to 12 hours, it's true that it is too short. I will increase it, maybe 7 days would be a better default?
About the multi-session, the admin session is stateless (as in, no DB involved): a signed blob is stored in a cookie, and the signature (that expires) is validated for each request.
There's nothing preventing multiple sessions to exists at the same time. I am logged on multiple devices right now and I don't have any issues.
Do you use some kind of synchronization between your browsers? That could be the culprit.
Thanks for starting a discussion!
I don't know how exactly it's implemented, so please pardon me if what I'm saying is impossible.
a signed blob is stored in a cookie, and the signature (that expires) is validated for each request.
Is it possible to regenerate this cookie signature on each request, and send a Set-Cookie header with a new cookie signature on each request? Then it will effectively become "12 hours since last action", not "12 hours since login".
Having a session that never expires is doable but a bit scary from a security perspective. If someone went to steal a cookie, by making requests periodically, they could basically have a token that works forever (VS being unable to use it after a given amount of time).
Oh hmm I wonder if I'm checking just infrequently enough that I'm hitting the 12-hr timeout and it only looks like it's device-related - I don't do any automatic session-syncing between devices. The big problem with stateless sessions is that you can't remotely expire them, which would be the usual protection against stolen cookies. I'll peek a little more into fastapi-login - it's meant to be like flask-login, which I've used before and found extremely easy to integrate into projects.
A longer (or configurable) timeout may be a good stop-gap solution, though.
I feel like it would be nice to not bring another dependency just for this. And I would like to avoid having to handle sessions in the DB.
And there's always the possibility to reset the secret to expire the sessions. My previous point was that we should not allow to "refresh" the sessions indefinitely.
I think increasing the session expiration to a few days would be a good compromise between usability and security (and yes, we can make the session expiration a config item).
Ha, I totally get not wanting to add more deps. That sounds like a decent enough compromise!
I just pushed a commit that extends the default to 3 days, I will try to make it a config item tomorrow.
Just wanted to add to this that it appears that the 3 day timeout is only half-working. Once I hit the former 12-hour timeout, I can still look at my timeline, but all of my links/buttons are missing. I have to manually type "/admin/logout" to get out and sign back in to fix it.
Yes I noticed that too, I missed a place where the timeout should have been updated too.
I will push a fix later today (and make it a configurable/a constant).