Feature #10840

Allow "Stay logged in" from multiple browsers

Added by Adam Dingle about 10 years ago. Updated over 5 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:


Category:Accounts / authentication
Target version:3.4.0


I regularly access my project's Redmine site from several different browsers on a couple of different computers. Even though I've checked "stay logged in" on all these browsers, as soon as I log into my site from any one browser I'm effectively logged out on all the others. The next time I access Redmine from a different browser, I have to log in again. This is quite inconvenient.

It would be much nicer if the autologin timeout (which I have set to 30 days) applied to every browser from which I access Redmine, independently.

0001-Define-token-action-properties-explicitly.patch Magnifier - refactoring of token action handling (7.68 KB) Gregor Schmidt, 2015-11-16 13:50

0001-10840-allow-stay-logged-in-from-multiple-browsers.patch Magnifier - simplest thing (that could possibly work) (2.19 KB) Gregor Schmidt, 2015-11-16 13:51

0001-10840-Define-token-action-properties-explicitly.patch Magnifier - refactoring of token action handling (rebased onto r16138) (7.42 KB) Gregor Schmidt, 2017-01-05 10:08

Related issues

Related to Redmine - Feature #26617: stop Concurrent season Closed
Duplicated by Redmine - Feature #6120: keep autologin cookie with several web browsers Closed 2010-08-12

Associated revisions

Revision 16174
Added by Jean-Philippe Lang over 5 years ago

Allow "stay logged in" from multiple browsers (#10840).

Patch by Gregor Schmidt.

Revision 16175
Added by Jean-Philippe Lang over 5 years ago

Don't compare timestamps with 0, triggers SQL errors with PostgreSQL (#10840).


#1 Updated by Terence Mill about 10 years ago


#2 Updated by Brenden Soares about 10 years ago

+1 Agreed.

"Stay logged in" is a joke a it is. Keeps making me log in within 5mins of my last login. Apparently, it's the session cookie policy that needs changing to allow for multiple sessions per user?

#3 Updated by Etienne Massip about 10 years ago

  • Category set to Accounts / authentication

#4 Updated by Anonymous almost 9 years ago

I access Redmine via Firefox, but MS Outlook loads pictures from Redmine via Internet Explorer. So if I log in from Firefox, I can't see pictures in confirmation letters.

#5 Updated by none provided almost 7 years ago

Must have for proper mobile usage where you switch 5 times a day between mobile phone, notebook and desktop PC.

#6 Updated by Gregor Schmidt over 6 years ago

I have added two alternative patches, which implement this feature.

The first one (0001-10840-allow-stay-logged-in-from-multiple-browsers.patch) makes use of the features introduced in r14735. It allows 10 concurrent autologin tokens per user, updates the tests accordingly and does not change anything else.

The second one (0001-Define-token-action-properties-explicitly.patch) refactors the token class.

To ease review, I kept the original patch series which lead to the proposed solution on GitHub.

Motivation: Token actions within Redmine have a defined lifetime and a maximum number of instances per user. These are defined within the current code base (session - 1 day, 10 instances; autologin - Setting.autologin.days, 1 instance, api - does not expire, 1 instance; ...), but the configuration is not made explicitly. Instead it is spread across multiple methods within the Token class. This makes it tedious to change the properties of a certain token action and, more importantly, it makes it difficult to reuse the token class from plugin code, without the need to override Token methods. In the current code base, non-core tokens will always expire after 1 day and there may only be one token per action/user. If a plugin would need a token more similar to the session or api token, it would need to override multiple methods within app/models/token.rb to achieve the desired effect.

Approach: The refactoring adds an explicit configuration for the diffent exisiting token actions, using the properties, that are currently in use. It then changes the action related methods within the Token class, to use the configured properties instead of the hard coded approach used earlier. This way, the list of actions may be extended by plugins, without the need to change core methods.

Changes: In order to solve this issue, the proposed patch, sets the maximum number of instances of the autologin token to 10 - similar to the session tokens.

Fixes: Previously Token.destroy_expired would delete perfectly valid autologin tokens, when Settings.autologin != "1". The proposed patch fixes that bug.

#7 Updated by Gregor Schmidt over 6 years ago

As far as I can tell, #6120 is a duplicate of this issue.

#8 Updated by Jan from Planio www.plan.io over 6 years ago

  • Target version set to Candidate for next major release

As heavy plugin developers, we've ran into this a few times already. The proposed patch would be a great improvement for plugins, so I'm (boldly) pushing this for a next major release ;-)

#9 Updated by Toshi MARUYAMA over 6 years ago

  • Duplicated by Feature #6120: keep autologin cookie with several web browsers added

#10 Updated by Moritz Scholz over 5 years ago

The current behavior makes working with both desktop and a mobile device really annoying. I wonder why this does not get more attention.

#11 Updated by Go MAEDA over 5 years ago

  • Target version changed from Candidate for next major release to 3.4.0

I have tested the patch 0001-10840-allow-stay-logged-in-from-multiple-browsers.patch. It works fine as expected. Setting target version to 3.4.0.

Unfortunately 0001-Define-token-action-properties-explicitly.patch cannot be applied to the current trunk cleanly, I have not tested yet.

#12 Updated by Gregor Schmidt over 5 years ago

I have updated the other patch (with the included refactoring) to the current trunk r16138. I would be glad if you could take a second look.

The patch series, which led to the proposed changes, is still available on GitHub for easier review, and has been updated as well.

#13 Updated by Jean-Philippe Lang over 5 years ago

  • Subject changed from allow "stay logged in" from multiple browsers to Allow "Stay logged in" from multiple browsers
  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

The refactoring patch is committed, thanks. Followed by a fix for SQL errors with PostgreSQL (Token.invalid_when_created_before was never returning nil making next if validity_time.nil? useless).

#14 Updated by Toshi MARUYAMA over 4 years ago

Also available in: Atom PDF