Commit adfae780 authored by Stan Hu's avatar Stan Hu

Extend "Remember me" token after each login

This change will allow users to be logged in continuously as long as
they access GitLab once every 2 weeks and they click the "Remember me"
button upon login. Previously the session limit would be fixed to a hard
deadline of 2 weeks after the login.

In more detail, GitLab uses both a session and a persistent cookie:

1. Session Cookie: The `_gitlab_session` is a cookie with no expiration
date. A cookie with no expiration date specified will expire when the
browser is closed. These are often called session cookies because they
are removed after the browser session ends, usually when the browser is
closed.
2. Persistent Cookie: The `remember_me_token` is a cookie with a 2-week
expiration date. This is used if you click `Remember Me` upon login.
3. By default, the server will set a time-to-live (TTL) of 1-week on any
session that is used.

Note that browsers don't always remove session cookies if they are
closed. For example, Chrome has the `Continue where you left off` option
that restores session cookies after they are closed.

This means as long as your browser tab is open, you could remain signed
in with GitLab as long as you accessed GitLab at least once every 2
weeks, whether or not 2FA is installed. The server will keep resetting
the TTL for that session.

If you close your browser and open it up again, the `Remember me` token
will allow your user to reauthenticate itself. Without the
`extend_remember_period` flag, the cookie expires after a fixed 2 weeks,
and you are forced to login again.

Closes https://gitlab.com/gitlab-org/gitlab/-/issues/20340
parent d0e90f87
---
title: Extend "Remember me" token after each login
merge_request: 32730
author:
type: other
...@@ -102,7 +102,7 @@ Devise.setup do |config| ...@@ -102,7 +102,7 @@ Devise.setup do |config|
# config.remember_across_browsers = true # config.remember_across_browsers = true
# If true, extends the user's remember period when remembered via cookie. # If true, extends the user's remember period when remembered via cookie.
# config.extend_remember_period = false config.extend_remember_period = true
# Options to be passed to the created cookie. For instance, you can set # Options to be passed to the created cookie. For instance, you can set
# secure: true in order to force SSL only cookies. # secure: true in order to force SSL only cookies.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment