Auth session cannot be prolonged even if the user is active

[jimmytheneutrino]

Describe the bug

The fix for #1557 changed the logic of when the session is killed. The hard timeout makes it now impossible to prolong the session even if the user is active and keeps refreshing tokens via silent refresh.

Could we reintroduce the possibility for the old behavior while keeping the new behaviour possible, too? In particular, it would be enough if setting rememberFor to a positive value on skipped login would still trigger the recreation of the session cookie. See the relevant line: https://github.com/ory/hydra/pull/1564/files#diff-daf069930bf5aee3faa0136e399ebaa2R433

This way, omitting the rememberFor on skipped login would result in the current behaviour (the old cookie is kept, max-age is not changed). But providing positive rememberFor would update the cookie with the new max-age, thus prolonging its life.

[aeneasr]

I think it would be better to set RememberFor to something large the first time the user authenticates that you can live with, such as a month, 6 months, or a year. It's typically a good idea to purge the cookie at some point. Wouldn't that too resolve your issue?

[jimmytheneutrino]

Not exactly. I want the session to die after a period of inactivity of, say, 4-6 hours. But not to die when the user is active. If I could reset rememberFor on skipped request, this could be easily achieved.

[aeneasr]

Right, that makes total sense!

The reason we disabled this behavior was because people might accidentally set RememberFor to some value always but do actually intend to not refresh the session every time.

Therefore, I think we should add another payload, something along the lines of RefreshRememberTTL uint64 (or bool) which would have the effect you want. Still trying to figure out if it should be the number of seconds as well, or if it should be a boolean which basically re-enables the RememberFor flag. Not sure at the moment about the naming, appreciate ideas!

[jimmytheneutrino]

I think, a more-or-less standard name for such a behavior is session timeout (e.g., server.servlet.session.timeout in spring boot). This could, in theory, be different from the total max-age of the session set by rememberFor.

[aeneasr]

Ok, tracking this - contributions are welcomed

[jeremiahsmall]

Is this going to be addressed soon?

[github-actions[bot]]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️