-
Stan Hu authored
This change will allow users to be logged in continuously as long as they access GitLab once every 2 weeks and they click the "Remember me" button upon login. Previously the session limit would be fixed to a hard deadline of 2 weeks after the login. In more detail, GitLab uses both a session and a persistent cookie: 1. Session Cookie: The `_gitlab_session` is a cookie with no expiration date. A cookie with no expiration date specified will expire when the browser is closed. These are often called session cookies because they are removed after the browser session ends, usually when the browser is closed. 2. Persistent Cookie: The `remember_me_token` is a cookie with a 2-week expiration date. This is used if you click `Remember Me` upon login. 3. By default, the server will set a time-to-live (TTL) of 1-week on any session that is used. Note that browsers don't always remove session cookies if they are closed. For example, Chrome has the `Continue where you left off` option that restores session cookies after they are closed. This means as long as your browser tab is open, you could remain signed in with GitLab as long as you accessed GitLab at least once every 2 weeks, whether or not 2FA is installed. The server will keep resetting the TTL for that session. If you close your browser and open it up again, the `Remember me` token will allow your user to reauthenticate itself. Without the `extend_remember_period` flag, the cookie expires after a fixed 2 weeks, and you are forced to login again. Closes https://gitlab.com/gitlab-org/gitlab/-/issues/20340
adfae780