Extending NONCE timeout period

(Robert McIntosh) #1

Is there any way, or reason not to, extend the period of the NONCE validity beyond 10 minutes?

Our SSO currently involves logging in to our existing site and creating a username and/or new display name. Since these should, in theory, encourage you to review our guidelines, it is not impossible that the token needs to last more than 10 minutes to give them a chance to complete the process.

Our own site’s session is extended to 20 minutes, which means that if you take 11-20 minutes to click ‘SUBMIT’ your record will get stored, but as a user you get a very non-descript and unhelpful error message page.

Alternatively, can we edit that error page (which is on the Discourse site) to encourage them to simply refresh and retry the login WITHOUT the expired token?

Has anyone else come up against this? It is not an error - the SSO works fine, it is merely a question of time limits

(Sam Saffron) #2

Fine to make this a site setting if you submit a pr