New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When does a login session expire? #39
Comments
Setting the login session expiration is independent from Why is your second issue a security problem? |
Thanks, I'll take a look into those options. Regarding the security issue: Imagine you login to a public computer A and you go home and you login to your personal computer B. In this case I'd expect computer A to be automatically logged out because otherwise A will stay logged in until the session expires (which can take quite some time) or perhaps forever if a very long expire time is set. |
You need some kind of session store on the server, Redis for example. Right now sessions are completely handled via cookies. Simple replace |
@zemirco That's exactly what I did last week (replacing Also, I am seeing myself being automatically logged out after a few hours although the session should not be invalidated yet (30 days not reached yet). Is there some kind of ddos protection mechanism built into lockit? I poll |
Seems to be a third party cookie https://tools.digitalpoint.com/cookie-search?name=_passenger_route. If you try to login Your problem must be somewhere else. |
I see no configuration option in the documentation for this... What is the default expire time for each session?
Also, I noticed that if you log in twice with the same account on two different browsers (let's call them session1 and session2) and you log out from session2, then you will stay logged in in session1. Is this on purpose? I think it's a security problem.
The text was updated successfully, but these errors were encountered: