• Stan Hu's avatar
    Extend "Remember me" token after each login · adfae780
    Stan Hu authored
    This change will allow users to be logged in continuously as long as
    they access GitLab once every 2 weeks and they click the "Remember me"
    button upon login. Previously the session limit would be fixed to a hard
    deadline of 2 weeks after the login.
    
    In more detail, GitLab uses both a session and a persistent cookie:
    
    1. Session Cookie: The `_gitlab_session` is a cookie with no expiration
    date. A cookie with no expiration date specified will expire when the
    browser is closed. These are often called session cookies because they
    are removed after the browser session ends, usually when the browser is
    closed.
    2. Persistent Cookie: The `remember_me_token` is a cookie with a 2-week
    expiration date. This is used if you click `Remember Me` upon login.
    3. By default, the server will set a time-to-live (TTL) of 1-week on any
    session that is used.
    
    Note that browsers don't always remove session cookies if they are
    closed. For example, Chrome has the `Continue where you left off` option
    that restores session cookies after they are closed.
    
    This means as long as your browser tab is open, you could remain signed
    in with GitLab as long as you accessed GitLab at least once every 2
    weeks, whether or not 2FA is installed. The server will keep resetting
    the TTL for that session.
    
    If you close your browser and open it up again, the `Remember me` token
    will allow your user to reauthenticate itself. Without the
    `extend_remember_period` flag, the cookie expires after a fixed 2 weeks,
    and you are forced to login again.
    
    Closes https://gitlab.com/gitlab-org/gitlab/-/issues/20340
    adfae780
8_devise.rb 10.8 KB