Feature #10840


Allow "Stay logged in" from multiple browsers

Added by Adam Dingle almost 12 years ago. Updated over 7 years ago.

Accounts / authentication
Target version:
Start date:
Due date:
% Done:


Estimated time:


I regularly access my project's Redmine site from several different browsers on a couple of different computers. Even though I've checked "stay logged in" on all these browsers, as soon as I log into my site from any one browser I'm effectively logged out on all the others. The next time I access Redmine from a different browser, I have to log in again. This is quite inconvenient.

It would be much nicer if the autologin timeout (which I have set to 30 days) applied to every browser from which I access Redmine, independently.


0001-Define-token-action-properties-explicitly.patch (7.68 KB) 0001-Define-token-action-properties-explicitly.patch refactoring of token action handling Gregor Schmidt, 2015-11-16 13:50
0001-10840-allow-stay-logged-in-from-multiple-browsers.patch (2.19 KB) 0001-10840-allow-stay-logged-in-from-multiple-browsers.patch simplest thing (that could possibly work) Gregor Schmidt, 2015-11-16 13:51
0001-10840-Define-token-action-properties-explicitly.patch (7.42 KB) 0001-10840-Define-token-action-properties-explicitly.patch refactoring of token action handling (rebased onto r16138) Gregor Schmidt, 2017-01-05 10:08

Related issues

Related to Redmine - Feature #26617: stop Concurrent season Closed

Has duplicate Redmine - Feature #6120: keep autologin cookie with several web browsersClosed2010-08-12

Actions #1

Updated by Terence Mill almost 12 years ago


Actions #2

Updated by Brenden Soares almost 12 years ago

+1 Agreed.

"Stay logged in" is a joke a it is. Keeps making me log in within 5mins of my last login. Apparently, it's the session cookie policy that needs changing to allow for multiple sessions per user?

Actions #3

Updated by Etienne Massip almost 12 years ago

  • Category set to Accounts / authentication
Actions #4

Updated by Anonymous almost 11 years ago

I access Redmine via Firefox, but MS Outlook loads pictures from Redmine via Internet Explorer. So if I log in from Firefox, I can't see pictures in confirmation letters.

Actions #5

Updated by none provided over 8 years ago

Must have for proper mobile usage where you switch 5 times a day between mobile phone, notebook and desktop PC.

Actions #6

Updated by Gregor Schmidt over 8 years ago

I have added two alternative patches, which implement this feature.

The first one (0001-10840-allow-stay-logged-in-from-multiple-browsers.patch) makes use of the features introduced in r14735. It allows 10 concurrent autologin tokens per user, updates the tests accordingly and does not change anything else.

The second one (0001-Define-token-action-properties-explicitly.patch) refactors the token class.

To ease review, I kept the original patch series which lead to the proposed solution on GitHub.

Motivation: Token actions within Redmine have a defined lifetime and a maximum number of instances per user. These are defined within the current code base (session - 1 day, 10 instances; autologin - Setting.autologin.days, 1 instance, api - does not expire, 1 instance; ...), but the configuration is not made explicitly. Instead it is spread across multiple methods within the Token class. This makes it tedious to change the properties of a certain token action and, more importantly, it makes it difficult to reuse the token class from plugin code, without the need to override Token methods. In the current code base, non-core tokens will always expire after 1 day and there may only be one token per action/user. If a plugin would need a token more similar to the session or api token, it would need to override multiple methods within app/models/token.rb to achieve the desired effect.

Approach: The refactoring adds an explicit configuration for the diffent exisiting token actions, using the properties, that are currently in use. It then changes the action related methods within the Token class, to use the configured properties instead of the hard coded approach used earlier. This way, the list of actions may be extended by plugins, without the need to change core methods.

Changes: In order to solve this issue, the proposed patch, sets the maximum number of instances of the autologin token to 10 - similar to the session tokens.

Fixes: Previously Token.destroy_expired would delete perfectly valid autologin tokens, when Settings.autologin != "1". The proposed patch fixes that bug.

Actions #7

Updated by Gregor Schmidt over 8 years ago

As far as I can tell, #6120 is a duplicate of this issue.

Actions #8

Updated by Jan from Planio over 8 years ago

  • Target version set to Candidate for next major release

As heavy plugin developers, we've ran into this a few times already. The proposed patch would be a great improvement for plugins, so I'm (boldly) pushing this for a next major release ;-)

Actions #9

Updated by Toshi MARUYAMA over 8 years ago

  • Has duplicate Feature #6120: keep autologin cookie with several web browsers added
Actions #10

Updated by Moritz Scholz over 7 years ago

The current behavior makes working with both desktop and a mobile device really annoying. I wonder why this does not get more attention.

Actions #11

Updated by Go MAEDA over 7 years ago

  • Target version changed from Candidate for next major release to 3.4.0

I have tested the patch 0001-10840-allow-stay-logged-in-from-multiple-browsers.patch. It works fine as expected. Setting target version to 3.4.0.

Unfortunately 0001-Define-token-action-properties-explicitly.patch cannot be applied to the current trunk cleanly, I have not tested yet.

Actions #12

Updated by Gregor Schmidt over 7 years ago

I have updated the other patch (with the included refactoring) to the current trunk r16138. I would be glad if you could take a second look.

The patch series, which led to the proposed changes, is still available on GitHub for easier review, and has been updated as well.

Actions #13

Updated by Jean-Philippe Lang over 7 years ago

  • Subject changed from allow "stay logged in" from multiple browsers to Allow "Stay logged in" from multiple browsers
  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

The refactoring patch is committed, thanks. Followed by a fix for SQL errors with PostgreSQL (Token.invalid_when_created_before was never returning nil making next if validity_time.nil? useless).

Actions #14

Updated by Toshi MARUYAMA over 6 years ago


Also available in: Atom PDF