docu missing - enlightenment needed - session timeout, cookie expiration, autologin, rest api key expiration

Added by Terence Mill over 5 years ago

Can someone please explain how autologin setting and cookie expiration (ActionController::Base.session = { :expire_after => 2.hours } ) influence each other. E.g Overuling?
Is cookie expiration timer count down from first login till zero - is it reset on every http request by the cokies user (like session timeout)?

Does cookie expiration setting also is the timeout value for REST API key Expiration ? If not where else to set this?

All these question are not ansered by redmine.org online doco. Please add the answers to docu for others too.

Replies (3)

RE: docu missing - enlightenment needed - session timeout, cookie expiration, autologin, rest api key expiration - Added by Terence Mill over 5 years ago

I changed autologin from 7 days to one day and inspected http response header in with firebug. There is still no set cookie "expires" attribut and the cookie in browser is set to end of session.
I don't understand this. I want redmine to invalidate the cookie after 1 day in any case, so that the user must lofin again after this expiration time.

RE: docu missing - enlightenment needed - session timeout, cookie expiration, autologin, rest api key expiration - Added by Jean-Philippe Lang over 5 years ago

  • Sessions: there's no way to expire sessions if you're using the default cookie store for sessions. You can have a look at the active record session store that should support that. I agree that being able to control session life time from within Redmine is a desirable feature (#6597).
  • Autologin: the autologin duration is controlled on the server side that's why the cookie "expires" attribute is meaningless (set to 1 year so that it's greater than the actual autologin duration)
  • API key: it does not expire but you can regenerate a new one (and thus invalid the previous one) in "My account"

(1-3/3)