Do the session cookies expire? Is there a setting for that?

(Blu McCormick) #1

Do the session cookies expire? My cohort was still logged on after a couple of days, and also with his browser closing. He’d like to know if there is a policy about having to re-authenticate at least once every 24 hours? Apparently, it is good to have them “expire” for security reasons. If we ban someone, we know that for sure in 24 hours they will be logged out and their permissions reset. We know if somoene leaves a session open on a computer somewhere in public that it will log out in 24 hours so people can’t just post randomly.

Are there settings for this and what should I search for in settings to bring them up?

Thanks in advance,

(Jeff Atwood) #2

Suspending someone immediately revokes their login, so there’s nothing necessary to do. You could test this, if you like, by creating a new account (in a different browser is easiest) and then suspending it.

(Vinoth Kannan) #3

You could set the maximum session age for ‘n’ hours to expire session cookie. But the default value itself suitable in most cases. You don’t have to worry about session expire / suspended users. Discourse will handle it better like Jeff said.

(Blu McCormick) #4

Thanks, Vinoth. By Discourse handling it better do you mean the setting you referenced does its job well to log out inactive users after n hours?

(Vinoth Kannan) #5

Yes. Also like @codinghorror said suspended user logins will revoked immediately.

(Blu McCormick) #6

Thank you so much guys.

Here is the setting of interest in case other members are interested:

(Jay Pfaffman) #7

Adding to the points above…

If he wants to be logged out, he can type ZZ. (Try it!)

Unless he logged in at some else’s computer, there is no security issue. It’s really nice not to have to log in repeatedly. A user can also log out other browsers from the profile, I think. Think carefully before annoying everyone in your community with having to log in every. Single. Day.

(Blu McCormick) #8

Good point on member irritation. What is your magic number for auto logout after n hours? Betting lots of wisdom went into the default setting. I have no idea as far as how to prioritize security over member convenience. My cohort is a web security consultant and he thinks of things like that that don’t even occur to me. Security is on his radar. Getting auto logged out is a big bummer for me personally.

(Jay Pfaffman) #9

I leave it at the default.

Unless your community has sensitive data and /or lots of people likely to log in from public computers (where they are not logged in to their own account) the security issues seem minimal.

Security is a continuum You could set the timeout to be ten minutes and require two factor. It would be safer, but you’d lose lots of members.

(Blu McCormick) #10

I hope we can get members less tapped into tech who might use a public computer but am betting most members are going to be wired in on their own devices.

(Jay Pfaffman) #11

Me too. Tell security person thanks and suggest that he type ZZ frequently and turn on two factor authentication.

(Blu McCormick) #12

Which setting are you talking about specifically for two factor authentication? All I get in a search are sign ins through outside vendors like facebook, which we use for select vendors. I am looking in admin site settings.

(Jay Pfaffman) #13

It was added in beta 4: Discourse 2.0.0.beta4 Release Notes