"Remember me" option on login page do not always work

[andreynering]

• Gitea version (or commit ref): bb5a6b7 (current master)
• Git version: git version 2.10.0.windows.1
• Operating system: Windows
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL) https://try.gitea.io/user/login
  • No
  • Not relevant
• Log gist:

Description

Even if you check the "Remember me" checkbox, you sometimes have to login again after restarting the browser or computer. I think the right behavior should be remembering forever.

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[bkcsoft]

"Remember me" depends on cookies, do you clear all cookies when you restart the browser?

[andreynering]

@bkcsoft No I don't. But maybe cookies are being expired in the server side.

[bkcsoft]

@andreynering Yeah most likely

[rof20004]

This can be closed?

[monkeyhybrid]

I still experience this issue so I don't think it should be closed.

I just checked the client-side cookie situation with Firefox's web dev tools. I logged in to Gitea a few minutes ago for the first time since before Christmas, with 'remember me' ticked. A couple of cookies are set to expire once session has ended, the CSRF cookie expires after 24 hours, and two other cookies expire after 1 week. I'm guessing at least one of these should be set to never expire.

To summarise, my client cookies look like this:-

• _csrf - set to expire 24 hours after login
• gitea_awesome - set to expire 1 week after login
• gitea_incredible - set to expire 1 week after login
• i_like_gitea - expires after session ends
• lang - expires after session ends

I do not clear my cookies. I always tick 'remember me'. I am asked to re-login frequently. I've never made a note of how long my login stays 'remembered', I've made a note to do that now. I'm guessing it's after 24 hours, or 1 week. I'll update when I know.

Edit: I have been checking each day since last login, and I am still 'remembered' so far, after 2 days. I suspect it will forget me after 1 week but I am making a note of times and cookie status and will report back here in a few days time.

[monkeyhybrid]

I can now confirm that as soon as the gitea_awesome and gitea_incredible cookies expire (one week after login, even with Remember Me ticked), I am logged out and required to log back in again.

Is this not something everyone is experiencing?

I should probably add, I am currently accessing my local Gitea installation via HTTP until I move it to a new server with TLS. Does Gitea differentiate between the two, forcing shorter cookie life for non-HTTPS?

[monkeyhybrid]

I just stumbled upon the sample configuration file, app.ini.sample, in the Gitea source. It shows a config option I had not noticed before:-

[security]
; How long to remember that an user is logged in before requiring relogin (in days)
LOGIN_REMEMBER_DAYS = 7

If this setting doesn't exist in your app.ini, the default of 7 days will be used. If this isn't to your liking, you just need to add / modify this option to whatever value suits you (and restart Gitea, and probably logout and in again).

I suppose this means this issue should be closed. :)