Set maximum Devise session in accordance with IIIF cookie duration

[nikdragovic]

In order to avoid situations where IIIF cookies expire while Lux user sessions are still active, leading to thumbnail issues, we should determine a desired maximum length for a user session and implement accordingly for Devise and IIIF cookies.

Acceptance Criteria

• [x] Maximum user session should be 24 hours.
• [ ] Set error message: "Maximum session length reached; please log in again."

Error Example

[devanshu-m]

Checkout devise gem for timeout

[nikdragovic]

@devanshu-m I am testing v1.1.8 in digital-test. When I log into the application in an incognito window, I am sometimes not seeing thumbnails for Log In Required items. However, they seem to display in some cases, like when I click the Log In Required option in the Access facet. I will keep testing, since I don't really see a pattern yet.

[nikdragovic]

@devanshu-m Here's another screenshot; the thumbnails for this query were loaded, but I refreshed the page and they broke.

[devanshu-m]

@nikdragovic is this happening only in digital-test or in prod as well? When I login to digital-test, I see those broken thumbs, but when I login to curate-test and then refresh the digital-test page, the thumbs come back. Can you confirm this is happening in prod as well?

[nikdragovic]

@devanshu-m Sorry, I should have clarified that I am testing without logging into Curate. The issue does not appear to be present in prod.

[devanshu-m]

Investigation:

1) In an incognito window, I opened digital.library.emory.edu and performed a blank search. There were objects with thumbs that said login required. Then I login and perform the same blank search again and I can see those thumbs now. 2) In an incognito window, I opened digital-test.library.emory.edu, signed in the initial http login, and performed a blank search. There were objects with thumbs that said login required. Then I login through shib and perform the same blank search again and I see broken thumbs. 3) In an incognito window, I opened digital-test.library.emory.edu, signed in the initial http login, and performed a blank search. There were objects with thumbs that said login required. Then I login through shib and perform the same blank search again and I see broken thumbs. Then I login to curate-test in a new tab and then when I redo the blank search in digital-test, I can see the thumbs again.

[nikdragovic]

Thanks @devanshu-m, this sounds consistent with what I was seeing. Let me know if you need more background. DCE previously solved the issue we seemed to be having now in test with a particular strategy and I can locate that ticket if you like.

[devanshu-m]

@nikdragovic Yes, that should be helpful in looking into this further. Thanks Nik!

[nikdragovic]

@devanshu-m Related:

Improve cookie security for image delivery#469 Allow Lux to access thumbnails from Curate after Curate has been locked down#444

[devanshu-m]

Further testing done by @eporter23 @nikdragovic and I:

1) Nik tested step 2 in the note above and did not see broken thumbs 2) Emily tested step 2 (logged out of curate-test) in the note above and did not see broken thumbs in safari and firefox, but did see broken thumbs in chrome. 3) I tested step 2 (logged out of curate-test) in the note above and did not see broken thumbs in chrome desktop and safari mobile.

All of these tests were done in incognito mode.

[devanshu-m]

New bug ticket created: https://app.zenhub.com/workspaces/digital-library-project-5bf484ae4b5806bc2bf6875b/issues/emory-libraries/dlp-curate/1232