When does a login session expire?

[valnub]

I see no configuration option in the documentation for this... What is the default expire time for each session?

Also, I noticed that if you log in twice with the same account on two different browsers (let's call them session1 and session2) and you log out from session2, then you will stay logged in in session1. Is this on purpose? I think it's a security problem.

[zemirco]

Setting the login session expiration is independent from lockit and is handled by cookie-session. Take a look at their options for further configuration.

Why is your second issue a security problem?

[valnub]

Thanks, I'll take a look into those options.

Regarding the security issue: Imagine you login to a public computer A and you go home and you login to your personal computer B. In this case I'd expect computer A to be automatically logged out because otherwise A will stay logged in until the session expires (which can take quite some time) or perhaps forever if a very long expire time is set.

[zemirco]

You need some kind of session store on the server, Redis for example. Right now sessions are completely handled via cookies.

Simple replace cookie-sessions by session and it should work. lockit-utilities can destroy both kinds of sessions.

[valnub]

@zemirco That's exactly what I did last week (replacing cookie-session with session) - That worked partly - Now I see a session ID in my browser's cookie storage called passenger.sid wich is valid for 30 days (which is correct, I manually set it to that expire time). However, I see another cookie there which seems to be related to session handling called _passenger_route. As you can see, its expire date is set to "session" which means that it expires once the browser is closed, right? What's this cookie value used for? Is it part of Angular routing, lockit session handling or Node Express related?

Screenshot:

Also, I am seeing myself being automatically logged out after a few hours although the session should not be invalidated yet (30 days not reached yet). Is there some kind of ddos protection mechanism built into lockit? I poll rest/whois every 10 seconds via Ajax to check if the user is still logged in or not.

[zemirco]

Seems to be a third party cookie https://tools.digitalpoint.com/cookie-search?name=_passenger_route.

If you try to login lockit will prevent multiple unsuccessful attempts. Checking rest/whois should not cause any problems. It's not really part of lockit anyway. Just a workaround to communicate your user to the frontend - https://github.com/zemirco/lockit/blob/master/examples/angular/app.js#L41-L45.

Your problem must be somewhere else.