Closed YiranDuan721 closed 3 months ago
Your Testserver will be ready at https://1316.test.live.mm.rbg.tum.de in a few minutes.
A 180-day session lifetime is way to long. I think one to two weeks is perfectly fine for a VoD platform.
We are already storing the cookie, so naming it "Remember Me" is a bit misleading. It is typically used when you want to use a session cookie, and a persistent cookie (with an expiration date).
A few examples: Spotify has a "Remember Me" toggle sets the expiration date of the token to one month. When not toggled, only a session cookie is stored.
TIDAL does not have a "Remember Me" toggle and stores a sid cookie with a lifetime of 7 days.
A 180-day session lifetime is way to long. I think one to two weeks is perfectly fine for a VoD platform.
Why do you think a 180-day session is too long? Just now, I inspected my YouTube and Netflix cookie. Netflix has 6 months cookie expiration dates, while YouTube seems to have 2 years. Furthermore, I don't think I have ever been logged out of either of those before without changing anything on my end. They probably even do session renewals to extend that period.
Thank you for the comments! As it comes to security, I do think we should be more careful.
But some thoughts on how a "remember me" feature, realised by refreshing the token for logged-in users from time to time, would actually improve security: With this feature, we can then shorten the default duration of validity of the token, or, provide an option to shorten it (lecturers and admins might want this behaviour).
And we are using jwt instead of a session cookie, which makes a great difference, since invalidating a jwt before its expiration is more tricky.
Motivation and Context
Related issue: #1302
Description
MaxTokenLifetimeWithRememberMeInDays
is set, to prevent the token from being valid foreverMinUpdateIntervalInHours
is set, so that (if "Remember Me" checked upon logging in) the token won't get refreshed too frequentlySteps for Testing
MinUpdateIntervalInHours
in "\tools\middlewares.go" to a smaller value, e.g. 0.01, which corresponds to 36 secondsMinUpdateIntervalInHours
, see the cookie remain unchangedMinUpdateIntervalInHours
, see both the value and the Max-Age of the cookie "jwt" is changed, and in the payload of jwt, the value of "exp" corresponds to the Max-Age of the cookieScreenshots
Change of UI: