Open clarkwinkelmann opened 3 years ago
stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We do this to keep the amount of open issues to a manageable minimum. In any case, thanks for taking an interest in this software and contributing by opening the issue in the first place!
clarkwinkelmann
commented
3 years ago I think we should discuss/vote on this during our next meeting to decide if we want to change it. Then the issue can either be closed if we don't change anything, or updated to describe the exact timeouts we decide to implement.
davwheat
commented
3 years ago I'll stick my opinion here in case I can't make it or I forget for some reason:
I think we should let users/admins decide.
A list of options on the admin page that can be selected for users to choose from, or a forced session time instead. Users can change the "remember me" session expiry via a setting on their amount.
We'd have to make sure this all plays nicely with 3rd party login systems.
clarkwinkelmann
commented
3 years ago I think we should let users/admins decide.
We could make this configurable via config.php, like the normal session lifetime.
Because of the way tokens have been refactored in my previous PRs, the lifetime can no longer be customized per-user or per-token. All remember me token need to have the same lifetime.
davwheat
commented
3 years ago In that case, I agree that we should make them configurable. Config file sounds good -- its not something that needs to be changed often enough to warrant it being easily modified in the dashboard.
SychO9
commented
3 years ago I agree with making it configurable while changing the default to the suggested
somewhere between 3 months and a year
This is a meta discussion somewhat related to the changes introduced in flarum/framework#2651
Due to the garbage collector issue flarum/framework#2075 the session duration was never properly enforced, so most people probably have no idea of the default lifetimes we backed in.
Basically the current remember session duration is as follows:
Disregarding the mismatch between the two, I think 5 years is too long. It makes no sense to keep a session active that long without any activity.
I would suggest we scale it down to a value somewhere between 3 months and a year.
As we make it shorter, the need to fix the mismatch between database and cookie will become more important. I'm suggesting we do something similar to cookies where a middleware checks if the session's token is a remember token, and sets the cookie again with a new expiration on every request. Prior to the access token refactor this wasn't very easy, but now it will be something relatively easy to implement.