new option for configurable cookie lifetime #7709
Conversation
|
Just an update to confirm that this feature works as expected in long-time, real-world conditions: I've set Now, any browser that opens Roundcube at least every 3 days will only need to re-login once every 30 days. However, if 3 days pass without opening Roundcube, the session expires, and a the browser needs to login again, starting another 3 day/30 day timeout. |
|
With this going nowhere, I'm maintaining a patch for this functionality in its own repository. |
|
I don't like how it is. The cookie_lifetime should be always |
|
@emtiu Thanks very much for the patch, using it on my private RC. |
|
I'd like that option too. A remember me could work sure but if I'm not mistaken it requires finding and installing some remember me plugin, which may not be well maintained. In comparison the |
I know this is old, but what "remember me" check box on login screen? I have never seen one. Is this a setting that must be enabled? |
No, it's a proposed alternative solution that doesn't exist. |
Well, this plugin has that check box for "remember me" functionality, but it has to maintain a separate table (auth_tokens) which almost duplicates the standard sessions table in roundcube. A checkbox on the login screen that enables a user to toggle between a (per user) 'session_lifetime' = 10 (default) or e.g. 10000 (~week) would do the trick... right? |
|
Any update on this? Still interested in having this merged here, applying the patch manually for now. |
|
Any progress on this PR? |
Nothing since it was informally rejected here in 2021. But I'm keeping my patches up to date with every release of Roundcube 😇 |
|
Also still using @emtiu 's patches, ported to 1.7.0. I just think I hit a documentation issue: "Note that whatever the cookie_lifetime set for the browser, sessions always expire after closing Roundcube when the session_lifetime (as tracked by the server) has expired. Therefore, it makes no sense to set a cookie_lifetime longer than the session_lifetime." And later: "cookie_lifetime set to 14 days, session_lifetime set to 2 days: Any browser that logs in to Roundcube stays logged in for 14 days at most, but is logged out automatically after 2 days have passed without opening Roundcube. --> If Roundcube is accessed at least every 2 days, the user will only need to re-login every 14 days." Isn't that a contradiction? |
You're right! Thank you for pointing this out, I've fixed the description 👍 |
|
Hi there! Can we have this as core functionality, somehow? |
From my understanding this PR might have a chance if the extended cookie lifetime would depend on a "remember me"-checkbox at the login. @alecpl Is that correct? @emtiu Would you be willing to change the code accordingly? |
Thanks for the suggestion. I'm afraid I don't have the time to figure out how to do that, and the current patch already does what I want it to do. |
Implementing #5050 by introducing a new config option
cookie_lifetime.The default is the current behavior (i.e. set session cookies with lifetime 0).