Closed jasalisbury closed 3 years ago
rahearn
commented
4 years ago In addition to the above, We should rethink using the cookie's maxAge, as opposed to keeping it as a session cookie (and thus automatically logging out on browser quit). Maybe the maxAge is instead implemented as a data point in the session, and we automatically log people out if it's too old?
jasalisbury
commented
3 years ago In addition to the above, We should rethink using the cookie's
maxAge, as opposed to keeping it as a session cookie (and thus automatically logging out on browser quit). Maybe themaxAgeis instead implemented as a data point in the session, and we automatically log people out if it's too old?
Yeah coming back to this it seems like the best solution is to just drop the maxAge on the server side. I was worried about stale sessions in the session store but it seems most session stores have a mechanism for clearing out old session cookies.
rahearn
commented
3 years ago Definition of Done:
User Story
As a TTA Smart Hub user, I want my session on the server to remain active as long as I am active on the page, so I don't have to login when sending/receiving data from the API
We added a idle timeout in the frontend in https://github.com/HHS/Head-Start-TTADP/issues/79. This logs out a user who has been inactive for a number of minutes (currently 30). However there is a potential issue if a user stays active on a page without hitting the API. In this case the user would never explicitly be logged out but their session cookie would timeout after 30 minutes of not making API calls. We need to ensure the user has an unexpired session as long as they are active on the frontend.
Context
Comments from this PR
Acceptance Criteria