Request for 5.0: timeoutable should ignore remember_me?

[archonic]

trafficstars

I've noticed if a user has "remember me" checked when signing in, this will begin a session that ignores the timeoutable module hook. This looks to be an intentional behaviour but I would argue that it's weird to have a checkbox available to anyone be able to circumvent a security measure.

This would be a breaking change, hence the request for 5.0. If there's no desire to change this behaviour, perhaps we could introduce a new config setting to control this behaviour.

[timdiggins]

TL;DR: I know this feature requests is 4+ years old, but it's really confusing (if I've understood correctly). Ideally someone with commit authority would close this and/or correct what's right or wrong in the above. But recording here for others either way:

My understanding is (please correct me if I'm wrong) that these two strategies are quite subtly different:

Rememberable is a strategy that is working only if the user clicks "Remember me" (as well as being configured and set up correctly) and the purpose of it is to be remembered for this length of time, by a cookie which is totally separate to the rails session.

Timeoutable is to ensure that authentication-sessions (that aren't remembered as above, either because the user doesn't click remember me, or Rememberable isn't configured at all) don't last more than the configured time of activity (since last request). This is managed through rails session data (however stored), and not through an independent cookie.

So if you just want a timeout and don't want the user to be Rememberable via a cookie for a different time, then you should turn off Rememberable (by removing from devise model configuration), or if you want Rememberable but of a similar length to Timeoutable (for some reason) then adjust the length of the config.remember_for in the devise initializer).