Fix/session timeout #304
Fix/session timeout #304
Conversation
|
Sorry for the slow response times, been slammed/stressed lately. Haven't forgotten about this, but haven't had the mental bandwidth to tackle it either. Will hopefully get this fixed and tackle the other open issues in the near future, once I'm caught up on other things. |
|
Hello @joshbuker, would you mind checking this issue again? |
|
10 months... Yikes, my bad. Yeah, adding this to my priority task list. |
| expect(session[:user_id]).to be_nil | ||
| end | ||
|
|
||
| it 'does not resets session and remember_me cookies after session timeout' do |
There was a problem hiding this comment.
Is this test supposed to be "does not reset session and remember_me cookies before session timeout"?
There was a problem hiding this comment.
Yes, i will change
|
Thanks for your patience ❤️ Depressingly, even my priority task list is hilariously backlogged. |
|
Thank you for the review, I will improve this specs next week and test a little bit more. This line |
| @@ -52,6 +52,7 @@ def register_login_time(_user, _credentials = nil) | |||
| def validate_session | |||
| session_to_use = Config.session_timeout_from_last_action ? session[:last_action_time] : session[:login_time] | |||
| if (session_to_use && sorcery_session_expired?(session_to_use.to_time)) || sorcery_session_invalidated? | |||
| forget_me! if current_user.present? && Config.submodules.include?(:remember_me) | |||
There was a problem hiding this comment.
Wouldn't it make more sense to just call logout here?
There might be other before/after logout hooks configured and logout already takes care of calling all of those.
Just discovered this PR after I ran into the same problem and opened my PR with logout here:
#358
There was a problem hiding this comment.
Hello @jankoegel i saw you PR, yes is better then mine. Makes more sense to call logout. Can i add the tests in your PR?
There was a problem hiding this comment.
Sure, I invited you as a collaborator to my fork. Let me know if that works for you & thanks for preparing the specs!
|
@joshbuker @jankoegel closing to resolve in #358 |
Please ensure your pull request includes the following:
Description
When :remember_me, :session_timeout module are on, the user is not logged out when the first session ends, because session_timeout invalidate the session and remember_me module creates another after that. With this problem we cant logged out a user with timeout when remember_me is on
Solution
Forget remember me token in session_timeout
closes #303