Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix bugs in extend_remember_period #5418

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

nomis
Copy link

@nomis nomis commented Nov 7, 2021

This is a modified version of #5351 that fixes the remaining issues:

  • Only extend remember_me if remember_me is currently active
  • Set a timeout for extend_remember_period tests, otherwise the session doesn't expire so the user will never be logged out

ghiculescu and others added 4 commits November 7, 2021 11:42
This PR adds better tests for `extend_remember_period` and tries to better document what the feature is supposed to do. Currently it's not very well specified, and I'm not sure it's behaving as expected.

I found https://gitlab.com/gitlab-org/gitlab/-/merge_requests/32730 and heartcombo#3950 (comment) which both describe how the feature should work. To summarise:

- if you log in to the application regularly, `extend_remember_period` will keep your session alive
- if you *don't* log into the application for a while (longer than `config.remember_for`) you'll get logged out

In reality, it looks like what happens is:

- if you log in to the application regularly, your session will stay alive for as long as `config.remember_for`
- if you *don't* log into the application for a while (longer than `config.remember_for`) you'll stay logged in, as long as your warden session remains intact

So this means for example if you keep your browser open for longer than `config.remember_for`, your rememberable cookie will expire, but you'll still be logged in.

Currently how `extend_remember_period` works is that it only extends the session when [`Stratgies::Rememberable#authenticate`](https://github.com/heartcombo/devise/blob/master/lib/devise/strategies/rememberable.rb#L30) gets called. This gets called when the user logs in and a strategy is used. But if there's already a user logged in and recognised by warden, then warden [short circuits the strategies](https://github.com/wardencommunity/warden/blob/master/lib/warden/proxy.rb#L334).

So the first thing this PR change is to add a hook so that `extend_remember_period` now works on every request.

The next bug is that if once `config.remember_for` is up, the user is not currently forgotten.
The remember_me token will be irrelevant unless the session would timeout.

A session timeout (which also won't happen if there is a valid remember_me
token) is required to logout the user.
If the session expires then a re-authentication will occur via the remember
token, which could automatically extend it via the authentication process
instead of the extend process.

The remember period needs to be extended even if the session has not yet
expired. Arrange for this to happen and then let the session expire late
enough that the remember token must have been extended for the user to
still be logged in.

Ensure that remember me isn't set by the extend process when remember me is
not being used for the current session.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants