Gitea: "Remember me" option on login page do not always work
- Gitea version (or commit ref): bb5a6b7 (current master)
- Git version: git version 2.10.0.windows.1
- Operating system: Windows
- Database (use
[x]):
- [x] PostgreSQL
- [ ] MySQL
- [ ] SQLite
- Can you reproduce the bug at https://try.gitea.io:
- [x] Yes (provide example URL) https://try.gitea.io/user/login
- [ ] No
- [ ] Not relevant
- Log gist:
Description
Even if you check the "Remember me" checkbox, you sometimes have to login again after restarting the browser or computer. I think the right behavior should be remembering forever.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
andreynering
All 7 comments
"Remember me" depends on cookies, do you clear all cookies when you restart the browser?
bkcsoft
on 29 Jan 2017
@bkcsoft No I don't. But maybe cookies are being expired in the server side.
andreynering
on 31 Jan 2017
@andreynering Yeah most likely
bkcsoft
on 12 Feb 2017
This can be closed?
rof20004
on 2 Jan 2019
I still experience this issue so I don't think it should be closed.
I just checked the client-side cookie situation with Firefox's web dev tools. I logged in to Gitea a few minutes ago for the first time since before Christmas, with 'remember me' ticked. A couple of cookies are set to expire once session has ended, the CSRF cookie expires after 24 hours, and two other cookies expire after 1 week. I'm guessing at least one of these should be set to never expire.
To summarise, my client cookies look like this:-
_csrf- set to expire 24 hours after logingitea_awesome- set to expire 1 week after logingitea_incredible- set to expire 1 week after logini_like_gitea- expires after session endslang- expires after session ends
I do not clear my cookies. I always tick 'remember me'. I am asked to re-login frequently. I've never made a note of how long my login stays 'remembered', I've made a note to do that now. I'm guessing it's after 24 hours, or 1 week. I'll update when I know.
Edit: I have been checking each day since last login, and I am still 'remembered' so far, after 2 days. I suspect it will forget me after 1 week but I am making a note of times and cookie status and will report back here in a few days time.
monkeyhybrid
on 2 Jan 2019
I can now confirm that as soon as the gitea_awesome and gitea_incredible cookies expire (one week after login, even with _Remember Me_ ticked), I am logged out and required to log back in again.
Is this not something everyone is experiencing?
I should probably add, I am currently accessing my local Gitea installation via HTTP until I move it to a new server with TLS. Does Gitea differentiate between the two, forcing shorter cookie life for non-HTTPS?
monkeyhybrid
on 12 Jan 2019
I just stumbled upon the sample configuration file, app.ini.sample, in the Gitea source. It shows a config option I had not noticed before:-
[security]
; How long to remember that an user is logged in before requiring relogin (in days)
LOGIN_REMEMBER_DAYS = 7
If this setting doesn't exist in your app.ini, the default of 7 days will be used. If this isn't to your liking, you just need to add / modify this option to whatever value suits you (and restart Gitea, and probably logout and in again).
I suppose this means this issue should be closed. :)
monkeyhybrid
on 2 Feb 2019
Related issues
jorise7
路
3Comments
lunny
路
3Comments
tuxfanou
路
3Comments
BNolet
路
3Comments
lunny
路
3Comments
Most helpful comment
I just stumbled upon the sample configuration file,
app.ini.sample, in the Gitea source. It shows a config option I had not noticed before:-If this setting doesn't exist in your
app.ini, the default of 7 days will be used. If this isn't to your liking, you just need to add / modify this option to whatever value suits you (and restart Gitea, and probably logout and in again).I suppose this means this issue should be closed. :)