-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
Future Dev
This is split off from MDL-65812
We should be looking to extend the session timeout, perhaps with a "Keep me logged in", or "Remember me" checkbox at login.
This has been requested many times in duplicate trackers but it's often been confused with 'Remember me' which was interpreted as only the username when lots of people really meant the full session.
We need an admin setting for how long you should be remembered for, eg 1 month or 3 months. This is a maximum session length and should be treated differently to a session timeout. There is quite a few touch points.
From a security perspective long lived sessions are ok as long as you have the ability to re-authenticate when you need to do something for sensitive so I think this should be dependent on MDL-66172 (and why I didn't do it as part of MDL-65812)
Examples in the wild:
- has been marked as being related by
-
MDL-65856 UX Review of session expired timeout modal
- Closed
- is duplicated by
-
MDL-4578 Request - 'Remember me' checkbox
- Closed
-
MDL-773 Remember me at login
- Closed
-
MDL-71864 Auto-remember password
- Closed
- will be (partly) resolved by
-
MDL-66172 Add require_recent_login() for higher security pages
- Development in progress
- will help resolve
-
MDL-72928 Further improve login page
- Closed
-
MDL-65812 Increase default session timeout and allow it to be configured in the GUI
- Closed