Auth token cookie does not have an expiration #1756
Assignees
Labels
bug
needs triage, then squashing
Development
Issues for the dev team resolve
sev3
Experience is flawed but not unusable.
Comments
mgwalker
added
bug
This was referenced Aug 21, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When the API creates and sets the auth token cookie, it does not set an expiration. The result is that the browser creates a "session cookie," which causes it to be deleted when the browser is closed. (Session cookies can be deleted prior to the browser being closed as well; the exact circumstances are kind of unpredictable based on the browser, but closing the browser will always do it.) The result is that users can be logged out by closing their browser, rebooting their computer, etc.
One question is whether this is the desired behavior. I don't have a strong opinion either way. There's a security argument in favor of session cookies, but there's a convenience/usability argument for longer-lasting cookies.
This task is done when either...
The text was updated successfully, but these errors were encountered: