FEATURE: Add support for not persistent sessions

FEATURE: Add support for not persistent sessions

In some cases Discourse admins may opt for sessions not to persist when a browser is closed.

This is particularly useful in healthcare and education settings where computers are shared among multiple workers.

By default persistent_sessions site setting is enabled, to opt out you must disable the site setting.

diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 9402b50..0585f7a 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -1543,6 +1543,7 @@ en:
     invite_code: "User must type this code to be allowed account registration, ignored when empty (case-insensitive)"
     approve_suspect_users: "Add suspicious users to the review queue. Suspicious users have entered a bio/website but have no reading activity."
     pending_users_reminder_delay: "Notify moderators if new users have been waiting for approval for longer than this many hours. Set to -1 to disable notifications."
+    persistent_sessions: "Users will remain logged in when the web browser is closed"
     maximum_session_age: "User will remain logged in for n hours since last visit"
     ga_universal_tracking_code: "Google Universal Analytics (analytics.js) tracking code ID, eg: UA-12345678-9; see <a href='https://google.com/analytics' target='_blank'>https://google.com/analytics</a>"
     ga_universal_domain_name: "Google Universal Analytics (analytics.js) domain name, eg: mysite.com; see <a href='https://google.com/analytics' target='_blank'>https://google.com/analytics</a>"
diff --git a/config/site_settings.yml b/config/site_settings.yml
index 931d32e..3853edd 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -478,6 +478,7 @@ login:
     min: -1
     default: 8
+  persistent_sessions: true
     default: 1440
     min: 1
diff --git a/lib/auth/default_current_user_provider.rb b/lib/auth/default_current_user_provider.rb
index 30a8ff8..d254517 100644
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@@ -224,10 +224,13 @@ class Auth::DefaultCurrentUserProvider
     hash = {
       value: unhashed_auth_token,
       httponly: true,
-      expires: SiteSetting.maximum_session_age.hours.from_now,
       secure: SiteSetting.force_https
+    if SiteSetting.persistent_sessions
+      hash[:expires] = SiteSetting.maximum_session_age.hours.from_now
+    end
     if SiteSetting.same_site_cookies != "Disabled"
       hash[:same_site] = SiteSetting.same_site_cookies
diff --git a/spec/components/auth/default_current_user_provider_spec.rb b/spec/components/auth/default_current_user_provider_spec.rb
index a6aacf2..8733c6f 100644
--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@@ -323,6 +323,16 @@ describe Auth::DefaultCurrentUserProvider do
     expect(provider("/topic/anything/goes", params.merge("HTTP_DISCOURSE_PRESENT" => "true")).should_update_last_seen?).to eq(true)
+  it "supports non persistent sessions" do
+    SiteSetting.persistent_sessions = false
+    @provider = provider('/')
+    cookies = {}
+    @provider.log_on_user(user, {}, cookies)
+    expect(cookies["_t"][:expires]).to eq(nil)
+  end
   it "correctly rotates tokens" do
     SiteSetting.maximum_session_age = 3
     @provider = provider('/')

GitHub sha: 44fba946