If you refresh the page after 10 min, you are logged out

[obotisan]

[Affected versions]:

• Firefox 65.0.1

[Affected Platforms]:

• Windows 10 x64
• macOS 10.13
• Ubuntu 18.04 x64

[Steps to reproduce]:

1. Navigate to http://stage.firefoxmonitor.nonprod.cloudops.mozgcp.net
2. Sign in with a valid account.
3. Wait 10 minutes and refresh the page.

[Expected result]:

• The user is still signed in.

[Actual result]:

• The user is not signed in anymore.

[Regression]:

• N/A

[groovecoder]

Good catch @obotisan. @sandysage - how long should Firefox Monitor login sessions stay active?

[sandysage]

@shane-tomlinson what do you recommend here? I'm assuming we want that logged in state to persist for as long as would be reasonable. I doubt "forever" is a good option so what is the next best thing?

[groovecoder]

In the interested of closing my last assigned issue before I'm mostly afk next week ...

On Slack #fxa there's not an FxA-wide baseline for session expiration for relying parties.

Per our GA, our average session duration is 01:28 and number of sessions-per-user is 1.1

These features would have much better UX with longer sessions:

• "Featured" breach landing page - when a user clicks "Learn more" on a Firefox breach alert popup, immediately show them if they are in the breach or not.
• Multiple emails - when a user adds an additional email address, send them an email link they must click to verify they own the email address

However, since neither of these features exists yet, I'm tempted to just leave our session timeout at 10m, because leaving the user logged in could accidentally reveal their sensitive breaches to others who share their computer.

When we have more session-based features, we can revisit the session timeout.

@sandysage - if you disagree and want to up the session timeout value, just re-open this issue please.