FEATURE: add setting permanent_session_cookie to configure session st… (PR #4226)

…ickiness

Now admins can turn make the login cookie die after the browser is closed, so the user needs to log in everytime.

See https://meta.discourse.org/t/session-timeout/34686/17?u=falco

GitHub

You’ve signed the CLA, xfalcox. Thank you! This pull request is ready for review.

@samsaffron will need to review On Mon, May 16, 2016 at 9:16 PM discoursebot notifications@github.com wrote:

You’ve signed the CLA, xfalcox. Thank you! This pull request is ready for review.

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/discourse/discourse/pull/4226#issuecomment-219615317

I’m running this in production for a month now, it’s pretty useful in a shared computers corporate environment. And with SSO it’s painless.

This is fine, one thing we always wanted to add in this department was a concept of “session lifetime”

Er… what? I’m not following, how is it a good thing to never use cookies? So users have to log in every time they visit the site? At the very least this needs much clearer copy.

This is fine, one thing we always wanted to add in this department was a concept of “session lifetime”

Yes, but this would be a minutely job that check if the user is idle for more than X minutes and uses the force log out feature.

Er… what? I’m not following, how is it a good thing to never use cookies? So users have to log in every time they visit the site? At the very least this needs much clearer copy.

If an admin turn off the setting the cookie is still there, but it doesn’t survive a computer restart or closing all the tabs.

If the user turn off a pc, in some environments, he expects to be logged out of everything. Like public libraries, pc bangs and companies pics.

Also, I recommend using this alongside SSO so the user doesn’t even know what’s happening.