From 5887b61da1c095c14de164713d18e441889063d2 Mon Sep 17 00:00:00 2001 From: sarken Date: Sun, 17 Sep 2017 04:38:06 -0400 Subject: [PATCH] AO3-5171 Make session last 2 weeks (#3059) * AO3-5171 Make session cookie last 2 weeks * AO3-5171 Make 'remember me for two weeks' the default behavior for the user_credentials cookie * AO3-5171 Remember me should make a session last 3 months instead of 2 weeks * AO3-5171 Fix the spacing in the _passwd view * AO3-5171 If we reset remember_me_for in the right place, we don't need all this extra code * AO3-5171 Remove @remember_me instance variable I temporarily added * AO3-5171 Make session length configurable and add flash message warning users to log out if they are using a public or shared computer * AO3-5171 Change constant names to include units --- app/controllers/user_sessions_controller.rb | 17 ++++++++++++++++- app/models/user_session.rb | 2 ++ app/views/user_sessions/_passwd.html.erb | 14 ++++++++------ config/config.yml | 3 +++ config/initializers/session_store.rb | 2 +- 5 files changed, 30 insertions(+), 8 deletions(-) diff --git a/app/controllers/user_sessions_controller.rb b/app/controllers/user_sessions_controller.rb index afb9d868291..affb3119f85 100644 --- a/app/controllers/user_sessions_controller.rb +++ b/app/controllers/user_sessions_controller.rb @@ -9,11 +9,23 @@ def new def create if params[:user_session] + # We currently remember users for 2 weeks even if they do not check + # "Remember me" when logging in. To make it last longer for users who + # do check "Remember me," we have to set a different value before we + # create the session. + if user_session_params[:remember_me] == "1" + UserSession.remember_me_for = ArchiveConfig.REMEMBERED_SESSION_LENGTH_IN_MONTHS.months + end # Need to convert params back to a hash for Authlogic bug @user_session = UserSession.new(user_session_params.to_hash) if @user_session.save - flash[:notice] = ts("Successfully logged in.") + flash[:notice] = ts("Successfully logged in.").html_safe + # Remembering users who don't check "Remember me" is non-standard + # behavior, so we want to make sure they are aware of it + unless user_session_params[:remember_me] == "1" + flash[:notice] += ts(" You'll stay logged in for %{number} weeks even if you close your browser, so make sure to log out if you're using a public or shared computer.", number: ArchiveConfig.DEFAULT_SESSION_LENGTH_IN_WEEKS).html_safe + end @current_user = @user_session.record redirect_back_or_default(@current_user) else @@ -49,6 +61,9 @@ def create @user_session = UserSession.new(user_session_params) render action: 'new' end + # Set the session value back to 2 weeks so the next session + # doesn't also get remembered for 3 months + UserSession.remember_me_for = ArchiveConfig.DEFAULT_SESSION_LENGTH_IN_WEEKS.weeks end end diff --git a/app/models/user_session.rb b/app/models/user_session.rb index a5d3d50e049..b44208801ed 100644 --- a/app/models/user_session.rb +++ b/app/models/user_session.rb @@ -1,4 +1,6 @@ class UserSession < Authlogic::Session::Base consecutive_failed_logins_limit 50 failed_login_ban_for 5.minutes + remember_me true + remember_me_for ArchiveConfig.DEFAULT_SESSION_LENGTH_IN_WEEKS.weeks end diff --git a/app/views/user_sessions/_passwd.html.erb b/app/views/user_sessions/_passwd.html.erb index 4b519951707..22d627fbb8b 100644 --- a/app/views/user_sessions/_passwd.html.erb +++ b/app/views/user_sessions/_passwd.html.erb @@ -1,13 +1,15 @@ <% @user_session = UserSession.new unless @user_session %> <%= form_for @user_session do |f| %>
-
<%= f.label :login, ts("User name:") %>
+
<%= f.label :login, ts("User name:") %>
<%= f.text_field :login %>
-
<%= f.label :password, ts("Password:") %>
+
<%= f.label :password, ts("Password:") %>
<%= f.password_field :password %>
-
<%= f.label :remember_me, ts("Remember me") %>
-
<%= f.check_box :remember_me %>
-
<%= ts("Submit") %>
-
<%= f.submit ts("Log in"), :class => 'submit' %>
+
<%= f.label :remember_me, ts("Remember me") %>
+
<%= f.check_box :remember_me %>
+
<%= ts("Submit") %>
+
+ <%= f.submit ts("Log in"), class: "submit" %> +
<% end %> diff --git a/config/config.yml b/config/config.yml index 40e5b9d1393..27bdfa73264 100644 --- a/config/config.yml +++ b/config/config.yml @@ -11,6 +11,9 @@ SESSION_KEY: '_otwarchive_session' SESSION_SECRET: '898f6d0363863ec79d782238cd1c5767636d712cc0d138238bcd5bfc9d2672fb852380050e52c03a0401175d909c09dba48512a119d46b126a84c2dd05716eb5' +DEFAULT_SESSION_LENGTH_IN_WEEKS: 2 +REMEMBERED_SESSION_LENGTH_IN_MONTHS: 3 + # email addresses RETURN_ADDRESS: 'do-not-reply@example.org' SUPPORT_ADDRESS: 'support@example.org' diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index a3b3b5256c8..734d8d66cd8 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -1,6 +1,6 @@ # Be sure to restart your server when you modify this file. -Otwarchive::Application.config.session_store :cookie_store, key: '_otwarchive_session' +Otwarchive::Application.config.session_store :cookie_store, key: '_otwarchive_session', expire_after: ArchiveConfig.DEFAULT_SESSION_LENGTH_IN_WEEKS.weeks # Use the database for sessions instead of the cookie-based default, # which shouldn't be used to store highly confidential information