- **status**: code-review --> in-progress
- **QA**: Dave Brondsema
- **Comment**:

So I've learned that by default 
[Chrome](http://stackoverflow.com/questions/10617954/chrome-doesnt-delete-session-cookies)
 and [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=443354) keep 
session cookies after closing & reopening a browser.  Those can be changed with 
[settings](http://dalevisser.wordpress.com/2012/07/18/how-to-fix-firefox-and-chrome-default-of-retaining-session-cookies-insecurely/).
  Still a useful feature for us to add for IE/Safari/other users and those who 
have changed their Chrome/Firefox settings.

In this implementation, I'm not comfortable with how much of 
`SessionMiddleware.__call__` is copied into `RememberLoginSessionMiddleware`.  
There are many lines in there that aren't relevant to allura and things could 
break easily if beaker is upgraded in the future.  It's unfortunate that 
`SessionMiddleware` doesn't have a cleaner simpler method for us to override or 
even monkey-patch.  What other options do we have?  Is it possible to use the 
regular `SessionMiddleware`, and then in our own code after it runs we check 
`login_expires` and kill the session?  Or if we need to be more low-level, have 
a new piece of middleware that runs right after `SessionMiddleware` and changes 
the cookie headers?  Something that's not so intricately coupled to 
`SessionMiddleware` internals.

And visually I think the login form would look better if `[] Remember Me` was 
aligned with the username/password input boxes and Login button.



---

** [tickets:#7451] Remember me option on login**

**Status:** in-progress
**Milestone:** limbo
**Labels:** 42cc 
**Created:** Mon Jun 09, 2014 05:08 PM UTC by Dave Brondsema
**Last Updated:** Fri Jul 18, 2014 08:51 AM UTC
**Owner:** nobody

Allura uses cookie-based auth (potentially could be configured to something 
different, via the `beaker.session.*` values in the `.ini` config file).  The 
[cookie defaults to never 
expiring](http://beaker.readthedocs.org/en/latest/configuration.html#session-options)
 but I'd like a "remember me" checkbox (that does have an expiration, 
configurable server-side like 1 year).  And if you don't check the checkbox, 
then the login session only lasts for the browser session.

I don't know if the `cookie_expires` field can be set dynamically (=True for 
not remember me, and = num seconds for remember me).  Docs don't really talk 
about it, so I hope `SessionMiddleware` does have a way to support it.


---

Sent from sourceforge.net because [email protected] is subscribed to 
https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at 
https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a 
mailing list, you can unsubscribe from the mailing list.

Reply via email to