Skip to content

Commit

Permalink
AO3-5171 Make session last 2 weeks (#3059)
Browse files Browse the repository at this point in the history 
* AO3-5171 Make session cookie last 2 weeks

* AO3-5171 Make 'remember me for two weeks' the default behavior for the user_credentials cookie

* AO3-5171 Remember me should make a session last 3 months instead of 2 weeks

* AO3-5171 Fix the spacing in the _passwd view

* AO3-5171 If we reset remember_me_for in the right place, we don't need all this extra code

* AO3-5171 Remove @remember_me instance variable I temporarily added

* AO3-5171 Make session length configurable and add flash message warning users to log out if they are using a public or shared computer

* AO3-5171 Change constant names to include units
  • Loading branch information
@sarken @zz9pzza
sarken authored and zz9pzza committed Sep 17, 2017
1 parent 62a34d4 commit 5887b61
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 8 deletions.
17 changes: 16 additions & 1 deletion app/controllers/user_sessions_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,23 @@ def new

def create
if params[:user_session]
# We currently remember users for 2 weeks even if they do not check
# "Remember me" when logging in. To make it last longer for users who
# do check "Remember me," we have to set a different value before we
# create the session.
if user_session_params[:remember_me] == "1"
UserSession.remember_me_for = ArchiveConfig.REMEMBERED_SESSION_LENGTH_IN_MONTHS.months
end
# Need to convert params back to a hash for Authlogic bug
@user_session = UserSession.new(user_session_params.to_hash)

if @user_session.save
flash[:notice] = ts("Successfully logged in.")
flash[:notice] = ts("Successfully logged in.").html_safe
# Remembering users who don't check "Remember me" is non-standard
# behavior, so we want to make sure they are aware of it
unless user_session_params[:remember_me] == "1"
flash[:notice] += ts(" <strong>You'll stay logged in for %{number} weeks even if you close your browser, so make sure to log out if you're using a public or shared computer.</strong>", number: ArchiveConfig.DEFAULT_SESSION_LENGTH_IN_WEEKS).html_safe
end
@current_user = @user_session.record
redirect_back_or_default(@current_user)
else
Expand Down Expand Up @@ -49,6 +61,9 @@ def create
@user_session = UserSession.new(user_session_params)
render action: 'new'
end
# Set the session value back to 2 weeks so the next session
# doesn't also get remembered for 3 months
UserSession.remember_me_for = ArchiveConfig.DEFAULT_SESSION_LENGTH_IN_WEEKS.weeks
end
end

Expand Down
2 changes: 2 additions & 0 deletions app/models/user_session.rb
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
class UserSession < Authlogic::Session::Base
consecutive_failed_logins_limit 50
failed_login_ban_for 5.minutes
remember_me true
remember_me_for ArchiveConfig.DEFAULT_SESSION_LENGTH_IN_WEEKS.weeks
end
14 changes: 8 additions & 6 deletions app/views/user_sessions/_passwd.html.erb
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
<% @user_session = UserSession.new unless @user_session %>
<%= form_for @user_session do |f| %>
<dl>
<dt><%= f.label :login, ts("User name:") %></dt>
<dt><%= f.label :login, ts("User name:") %></dt>
<dd><%= f.text_field :login %></dd>
<dt><%= f.label :password, ts("Password:") %></dt>
<dt><%= f.label :password, ts("Password:") %></dt>
<dd><%= f.password_field :password %></dd>
<dt><%= f.label :remember_me, ts("Remember me") %></dt>
<dd><%= f.check_box :remember_me %></dd>
<dt class="landmark"><%= ts("Submit") %></dt>
<dd class="submit actions"><%= f.submit ts("Log in"), :class => 'submit' %></dd>
<dt><%= f.label :remember_me, ts("Remember me") %></dt>
<dd><%= f.check_box :remember_me %></dd>
<dt class="landmark"><%= ts("Submit") %></dt>
<dd class="submit actions">
<%= f.submit ts("Log in"), class: "submit" %>
</dd>
</dl>
<% end %>
3 changes: 3 additions & 0 deletions config/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@
SESSION_KEY: '_otwarchive_session'
SESSION_SECRET: '898f6d0363863ec79d782238cd1c5767636d712cc0d138238bcd5bfc9d2672fb852380050e52c03a0401175d909c09dba48512a119d46b126a84c2dd05716eb5'

DEFAULT_SESSION_LENGTH_IN_WEEKS: 2
REMEMBERED_SESSION_LENGTH_IN_MONTHS: 3

# email addresses
RETURN_ADDRESS: 'do-not-reply@example.org'
SUPPORT_ADDRESS: 'support@example.org'
Expand Down
2 changes: 1 addition & 1 deletion config/initializers/session_store.rb
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Be sure to restart your server when you modify this file.

Otwarchive::Application.config.session_store :cookie_store, key: '_otwarchive_session'
Otwarchive::Application.config.session_store :cookie_store, key: '_otwarchive_session', expire_after: ArchiveConfig.DEFAULT_SESSION_LENGTH_IN_WEEKS.weeks

# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
Expand Down

0 comments on commit 5887b61

Please sign in to comment.