Allow "Stay logged in" from multiple browsers
|Assignee:||Jean-Philippe Lang||% Done:|
|Category:||Accounts / authentication|
I regularly access my project's Redmine site from several different browsers on a couple of different computers. Even though I've checked "stay logged in" on all these browsers, as soon as I log into my site from any one browser I'm effectively logged out on all the others. The next time I access Redmine from a different browser, I have to log in again. This is quite inconvenient.
It would be much nicer if the autologin timeout (which I have set to 30 days) applied to every browser from which I access Redmine, independently.
#6 Updated by Gregor Schmidt almost 6 years ago
- File 0001-Define-token-action-properties-explicitly.patch added
- File 0001-10840-allow-stay-logged-in-from-multiple-browsers.patch added
I have added two alternative patches, which implement this feature.
The first one (0001-10840-allow-stay-logged-in-from-multiple-browsers.patch) makes use of the features introduced in r14735. It allows 10 concurrent autologin tokens per user, updates the tests accordingly and does not change anything else.
The second one (0001-Define-token-action-properties-explicitly.patch) refactors the token class.
To ease review, I kept the original patch series which lead to the proposed solution on GitHub.
Motivation: Token actions within Redmine have a defined lifetime and a maximum number of instances per user. These are defined within the current code base (session - 1 day, 10 instances; autologin - Setting.autologin.days, 1 instance, api - does not expire, 1 instance; ...), but the configuration is not made explicitly. Instead it is spread across multiple methods within the Token class. This makes it tedious to change the properties of a certain token action and, more importantly, it makes it difficult to reuse the token class from plugin code, without the need to override Token methods. In the current code base, non-core tokens will always expire after 1 day and there may only be one token per action/user. If a plugin would need a token more similar to the session or api token, it would need to override multiple methods within app/models/token.rb to achieve the desired effect.
Approach: The refactoring adds an explicit configuration for the diffent exisiting token actions, using the properties, that are currently in use. It then changes the action related methods within the Token class, to use the configured properties instead of the hard coded approach used earlier. This way, the list of actions may be extended by plugins, without the need to change core methods.
Changes: In order to solve this issue, the proposed patch, sets the maximum number of instances of the autologin token to 10 - similar to the session tokens.
Token.destroy_expired would delete perfectly valid autologin tokens, when
Settings.autologin != "1". The proposed patch fixes that bug.
#8 Updated by Jan from Planio www.plan.io almost 6 years ago
- Target version set to Candidate for next major release
As heavy plugin developers, we've ran into this a few times already. The proposed patch would be a great improvement for plugins, so I'm (boldly) pushing this for a next major release ;-)
#11 Updated by Go MAEDA over 4 years ago
- Target version changed from Candidate for next major release to 3.4.0
I have tested the patch 0001-10840-allow-stay-logged-in-from-multiple-browsers.patch. It works fine as expected. Setting target version to 3.4.0.
Unfortunately 0001-Define-token-action-properties-explicitly.patch cannot be applied to the current trunk cleanly, I have not tested yet.
#12 Updated by Gregor Schmidt over 4 years ago
#13 Updated by Jean-Philippe Lang over 4 years ago
- Subject changed from allow "stay logged in" from multiple browsers to Allow "Stay logged in" from multiple browsers
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
The refactoring patch is committed, thanks. Followed by a fix for SQL errors with PostgreSQL (
Token.invalid_when_created_before was never returning nil making
next if validity_time.nil? useless).