Devise: timeout and rememberable

Seems like it was an accident 😞

Are you willing to work on this? I'm happy to accept a pull request.

I am junior Rails developer. I use Devise for every project. Can I pick this up?

Sure go ahead. I would've picked this up the next weeks as I just returned from abroad this week, but I'm also happy if it's done by someone else :)

So this is what I need to do:

• Change the timedout method to the older version which checks whether rememberable is enabled and has not expired.
• Fix/add tests

Right @dfherr ?

Thanks

Yes, that sounds right.

Any idea when the PR will get merged?

We are using rememberable, but have not been able to figure out whey our signin page continues to be a top ranking page (google analytics page views). We've also noticed our daily computers being logged out periodically for no apparent reason. Rememberable is set at 6 months so our daily machines should never be logged out. Is there some default timeout value that is over-riding our current rememberable config of 6 months?

We are using rememberable, but have not been able to figure out whey our signin page continues to be a top ranking page (google analytics page views). We've also noticed our daily computers being logged out periodically for no apparent reason. Rememberable is set at 6 months so our daily machines should never be logged out. Is there some default timeout value that is over-riding our current rememberable config of 6 months?

Default timeout is 30 minutes. See the comment for :timeoutable in config/initializers/devise.rb.

Because of this bug, it is overriding your 6 month rememberable value.

Is this issue fixed now ?
I've seen timeout of 30 minutos on my phone and ipad even setting:

devise.rb
config.timeout_in = 60.days

Correct me if I am wrong, but I think this issue was fixed by this commit https://github.com/plataformatec/devise/commit/b97b3e6e3b570324467ac84d807111837943ec20#diff-797da3c65aeb33325af12a67ae766003

where the check wether remember me is active happens in the timeoutable hook here.

We are also experiencing issues with the remember me feature, but incompatibility with the timeoutable module does not appear to be the source.

Hi folks,

I'm trying to understand this issue and I wasn't able to reproduce it in a new app using the last Devise version (4.6.0).

Things that I've tested:

With timeoutable turned off and rememberable turned on

• Sessions never expires unless the user marks the remember me option.
• If the user marks the remember me option, the user is going to be logged out once the rememberable time expires.

With timeoutable turned on and rememberable turned on

• The session is going to expire according to the time configured in config.timeout_in if the user didn't mark the remember me option.
• If the user marks the remember me option, the user is going to be logged in even if the timeoutable time expires but the rememberable doesn't.
• If the time configured in timeout_in is higher than the one configured inremember_for, the user is going to be logged out only when the timeout_in expires.

If I understood it correctly, there are no issues using timeoutable and rememberable together and as @JanBussieck pointed out, this logic was moved to timeoutable hook.

Could someone provide an application that reproduces this issue in isolation or give instructions to reproduce this issue?

I still have the issue, even after updating to 4.6.0.

This reproduces it for me consistently:

1. Set config to

config.timeout_in = 30.seconds
config.remember_for = 5.minutes

1. login with "remember" selected.
2. Idle for more than 30 seconds (important or timeout refreshes itself!)
3. click a logged-in page --> get logged out

We are not able to reproduce the issue with a newly created Rails application. Are you testing with your app or have you created a new one to test this in isolation?

I'm going to attach here the app that I'm using so that you can see if I'm missing something:

remeber-timeout.zip

There's also this Gif showing how I'm testing:

You can see that I issue the last request to users/edit at 18:27:24 and wait until 18:28:17 (almost one minute) to try to reload the page, and it still works.

No, I have used my existing application. Readded timeoutable to the user, reproduced it with my old version (4.3.something) and then again after updating to 4.6.0. Removing timeoutable also solves the bug for me.

I'll try to reproduce it with your example application, once I find time. There is at least something wrong with timeoutable and my application setup.

Hi @dfherr, do you have any updates on this?

I'm closing this issue because it had no recent activity.

If you're still facing this on the latest version, please open a new one with all the information requested in the template.

Thank you!

I don't know if anyone is still watching this or not, but after coming across the same weird issues with timeoutable and rememberable not playing nicely, I dug in and figured out what the (or an?) issue is.

By default devise comes with the following lines in the initializer:

# Options to be passed to the created cookie. For instance, you can set
# secure: true in order to force SSL only cookies.
# config.rememberable_options = {}

So if you uncomment the line and add "secure: true" to the hash it basically renders rememberable useless in local development because the default "rails server" command only uses http so the secure https cookie gets ignored. Once I commented that line out again timeoutable and rememberable started playing nicely together again 😄

So I've added the following to my project:

config.rememberable_options = {}
config.rememberable_options[:secure] = true if Rails.env.production?

So now it works without the secure cookie locally and then uses the secure cookie in production.

Hope that helps someone!