-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UX: Longer sessions #1302
Comments
I am considering to add a "Remember me" option on the login page, and set the cookie to be valid for 6 months if it is selected. Do you think 6 months is a good idea? I'd like to hear from anyone. |
Passes on whether the user has selected the "remember me" option by setting a cookie, and if so, the jwt cookie set at login is set to be valid for 6 months instead of one week. Related: #1302
This (realising a "remember-me" feature with jwt) turns out to be a more complex thing than I originally thought. A simple solution would be similar to what I did last week (#1310). This is also how it is implemented in Artemis. Artemis currently adopts 3-days as the token validity when "remember-me" is not checked at log-in, and 1-month as when checked. A more recommended way is, according to this answer, and as Joscha suggested, to refresh the token before it expires every time the user opens the website. I will try to implement the second way today, but not sure whether this would go smoothly; if not, I don't think I still have time to work on it until 1st March. Wish me luck =w= And I appreciate any comments and suggestions. |
This feature is not planned as it would induce a security issue due to long sessions. |
I don't mean that in a bad way, but could you explain how this is a security issue? I really am curious, as I never have had to relogin to YouTube, Twitter, GitHub or any popular website for that matter. |
Is your feature request related to a problem? Please describe.
Currently, when I logon to TUMLive, those sessions expire after a week.
On Desktop, this isn't a big of a deal, but on mobile it is really frustrating that I have to relogin every week.
Describe the solution you'd like
Make sessions (much) longer in general (or not expire at all) and/or refresh them when the user uses the site.
I know of no other streaming sites where I have ever had the problem of being logged out.
Frankly, I don't think an applications such as TUMLive warrants such special security measures.
Describe alternatives you've considered
Additional context
I am not sure if there is something you can do about this given that this is probably mostly handled by Shibboleth, but I hope so.
The text was updated successfully, but these errors were encountered: