Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

If you refresh the page after 10 min, you are logged out #781

Closed
obotisan opened this issue Feb 18, 2019 · 3 comments
Closed

If you refresh the page after 10 min, you are logged out #781

obotisan opened this issue Feb 18, 2019 · 3 comments

Comments

@obotisan
Copy link

@obotisan obotisan commented Feb 18, 2019

[Affected versions]:

  • Firefox 65.0.1

[Affected Platforms]:

  • Windows 10 x64
  • macOS 10.13
  • Ubuntu 18.04 x64

[Steps to reproduce]:

  1. Navigate to http://stage.firefoxmonitor.nonprod.cloudops.mozgcp.net
  2. Sign in with a valid account.
  3. Wait 10 minutes and refresh the page.

[Expected result]:

  • The user is still signed in.

[Actual result]:

  • The user is not signed in anymore.

[Regression]:

  • N/A
@groovecoder
Copy link
Member

@groovecoder groovecoder commented Feb 19, 2019

Good catch @obotisan. @sandysage - how long should Firefox Monitor login sessions stay active?

@sandysage
Copy link

@sandysage sandysage commented Feb 19, 2019

@shane-tomlinson what do you recommend here? I'm assuming we want that logged in state to persist for as long as would be reasonable. I doubt "forever" is a good option so what is the next best thing?

@groovecoder
Copy link
Member

@groovecoder groovecoder commented Feb 22, 2019

In the interested of closing my last assigned issue before I'm mostly afk next week ...

On Slack #fxa there's not an FxA-wide baseline for session expiration for relying parties.

Per our GA, our average session duration is 01:28 and number of sessions-per-user is 1.1

These features would have much better UX with longer sessions:

  • "Featured" breach landing page - when a user clicks "Learn more" on a Firefox breach alert popup, immediately show them if they are in the breach or not.
  • Multiple emails - when a user adds an additional email address, send them an email link they must click to verify they own the email address

However, since neither of these features exists yet, I'm tempted to just leave our session timeout at 10m, because leaving the user logged in could accidentally reveal their sensitive breaches to others who share their computer.

When we have more session-based features, we can revisit the session timeout.

@sandysage - if you disagree and want to up the session timeout value, just re-open this issue please.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants