Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What are your recommendations for setting session expiration? #17

Open
simevidas opened this issue Feb 5, 2014 · 5 comments
Open

What are your recommendations for setting session expiration? #17

simevidas opened this issue Feb 5, 2014 · 5 comments

Comments

@simevidas
Copy link

I've set up Persona sign-in on my site and it works great. I've noticed that Persona will try to perform an automatic sign-in on page load - this is based on Express.js's session cookie value, I assume.

E.g. a visitor signs in with Persona and then closes the page. After a few minutes, they open the page again, and within ~3 seconds they are signed in again automatically. However, if they visit the site after 1 day, Persona will not perform a sign in, but instead just run the "signout" handler.

I would like to have a setup that performs an automatic sign-in even after 1-2 days since the last visit. I assume I have to set the expires value in the Express.js session configuration:

app.use(express.session({ 
    secret: process.env.SESSION_SECRET || 'fallback',
    store: new MongoStore({ url: mongoURL }),

    /* Would this work? */
    cookie: {
        expires: /* desired future date value, e.g. 2 days into the future */
    }
}));

If I set expires to, say, 48 hours, would Persona perform automatic sign-in within that period? And, would that be a good practice? What are your recommendations?

Note: Persona does provide a "Remember me for one month" option, but from my experience, this option alone does not enable automatic sign-in.
@jbuck
Copy link
Owner

jbuck commented Feb 6, 2014

Persona will try to perform an automatic login if you hit the "Remember me for one month" option, which is set on a per-browser basis with some localStorage value stored on https://login.persona.org. As you've found, it's pretty unreliable :)

You're spot-on with the solution too: instead of having Persona manage user login/logout state via navigator.id.watch(), you should manage the user state yourself. Having a cookie expire sometime in the future is one way of doing this. You'll need to have some way to check your logged-in state on the client-side so that if you're logged in, don't call navigator.id.watch(). If you're logged out, call navigator.id.watch().

@jbuck
Copy link
Owner

jbuck commented Feb 6, 2014

In terms of good practice, it's a good idea to have a checkbox allowing people to have their sessions remembered or not, then determining how long that session duration should be. That'll depend on how important your site data is, but I think 2 days is pretty reasonable, since it's on the short side.

@simevidas
Copy link
Author

I'll perform some (systematic) testing on my site wrt how Persona behaves for visitors. I've noticed today that auto sign-in worked after more than 10 hours, which means that it's not killed when the browser session ends (and the session cookie is destroyed). I'll report back after a few days. This information could be valuable for (potential) users of this module.

@jbuck
Copy link
Owner

jbuck commented Feb 7, 2014

I think it'll depend on which IdP is setting up credentials. You'll probably get a pretty good behaviour set if you test with a personal, a gmail.com, and a yahoo.com email address

@simevidas
Copy link
Author

(I'm testing with an email from one of my own domains. I haven't set up an IdP for it, so Persona is taking care of that.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbuck @simevidas