timeoverflow icon indicating copy to clipboard operation
timeoverflow copied to clipboard

Published 20 hours ago verified publisher icon coopdevs

Unexpected session expiration in secondary device

Open sseerrggii opened this issue 6 years ago • 5 comments

I have been investigating why the session closes in the mobile app (webview).

After a bit of headache trying to find the pattern, I think I understood what is going on.

The problem happens when user check "remember me" on login: this is the default behaviour on mobile app. In DB is stored as REMEMBER CREATED AT date

After that if this user login on desktop and close the session on desktop REMEMBER CREATED AT field is reset to null, and the session on mobile will expire in 1 hour (devise config.timeout_in)

So is there a way to avoid this behaviour? We want to keep REMEMBER CREATED AT on app session.

I found this config in /config/initializers/devise.rb, I'm not sure if its the solution:

# Set this configuration to false if you want /users/sign_out to sign out
# only the current scope. By default, Devise signs out all scopes.
# config.sign_out_all_scopes = true

Extra

We want to persist the session on mobile app, the remembereable option is for 4.weeks so we need to update REMEMBER CREATED AT the next time the user interact with the app, I think this can be done also in /config/initializers/devise.rb

# If true, extends the user's remember period when remembered via cookie.
config.extend_remember_period

What do you think? @markets @mllocs @sauloperez @enricostano

sseerrggii avatar Dec 12 '18 16:12 sseerrggii

I don't know how that column actually looks like in the DB and I'm not an expert on Devise myself but what you suggest of sign_out_all_scopes sounds good.

sauloperez avatar Dec 24 '18 16:12 sauloperez

Sadly don't work as expected :disappointed:

config.sign_out_all_scopes is true but when I sign out session started without 'remember me' the REMEMBER CREATED AT is reset

Also I don't see that config.extend_remember_period refresh date on REMEMBER CREATED AT

Actually I'm not sure what is the behaviour expected of changing this variables. I didn't find it in Devise documentation https://www.rubydoc.info/github/plataformatec/devise/Devise/Models/Rememberable

sseerrggii avatar Feb 02 '19 14:02 sseerrggii

Then we might need to check Devise's codebase

sauloperez avatar Feb 12 '19 13:02 sauloperez

I think this matches with the behaviour described on this Devise's issue: https://github.com/heartcombo/devise/issues/5212

mperezv avatar Apr 27 '20 08:04 mperezv

Also, I think we could have tried to set expire_all_remember_me to false but I found this other Devise's issue and it seems it wouldn't work: https://github.com/heartcombo/devise/issues/5027

mperezv avatar Apr 27 '20 08:04 mperezv