restarting spnet server requires user reauthenticating

[jdchristensen]

If I leave https://selectedpapers.net/ open for a while and then reload the page, I get to a version of the page that requires me to log in. I click the login button and am then logged in without any further user interaction. So it seems like it should be possible for this to happen automatically when I reload.

[cjlee112]

I suspect this happened because I rolled out updates around midnight (California time). Right now I'm doing that by actually shutting the server down, pulling the latest code updates, and restarting. It only takes a few seconds, but side effect is that users have to re-login. I'm rolling out bug fixes almost every night, so you're seeing this behavior!

To make a long story short: reloading doesn't force you to re-authenticate; restarting the server does!

You make a good point that it conceivably could try to re-login the user automatically. We could give users the option "keep me logged in", and if it saw that cookie set (but user not logged in) it could automatically call the login procedure.

[jdchristensen]

This happens many times per day. If I reload right away it doesn't happen. Several hours later it does. I don't know what the cut-off is.

[cjlee112]

Oh, there is approx. 2 hour timeout per session. That is pretty standard. I'm not sure we want sessions to last forever, because then they'd start accumulating, taking up more and more memory. (many people probably won't signout). Do you want the session timeout to be longer? Would the auto-login you suggested resolve this issue for you?

[jdchristensen]

I think the auto-login is a good idea. Since I don't need to provide a password, there doesn't seem to be any reason to make me click the button.