Skip to content

Extend the duration of persistent session in after every request

David requested to merge extend-persistent-session-duration into master

Closes #815 (closed)

What does this MR do?

Via the rest api we currently clients to request a persistent session (with longer lifetime and using persistent cookies). However the lifetime of the persistent cookie is fixed and is not extended upon followup requests (in contrast to the flourish session on the server (crf. https://github.com/flourishlib/flourish-classes/blob/60f80f1fbf10dea5cb05f98e9af3f0f96d9d9101/fSession.php#L531)).

As a result, even when a client set the rememberMe option, users have to relogin after one week since the cookies expire though the session may still be valid.

This change extends the lifetime of the cookies after every request.

In addition, I increased the initial lifetime of the session from 1 week to 2 weeks.

How confident are you it won't break things if deployed?

In general, currently only the android app uses persistent session. So the website isn't affected.

Extending the validity of the cookies shouldn't have any security consequences, since a client could already now decide not to delete the cookies after they expired.

I don't see that the extended initial lifetime could cause any issues.

How to test

Steps a reviewer can take to verify that this MR does what it says it does e.g.

  1. Login via the api /api/user/login using the rememberMe option and check note the expiration date of the cookies
  2. Do a request against any other endpoint and check that the response extends the lifetime of the cookies

Steps a beta tester can take to verify that this MR does what it says it does e.g.

  1. Login into the Android app
  2. Use the app about once a week and check that you didn't have to relogin after about one month

Checklist

  • added a test, or explain why one is not needed/possible...
  • no unrelated changes
  • asked someone for a code review
  • joined #foodsharing-beta channel at https://slackin.yunity.org
  • added an entry to CHANGELOG.md (description, merge request link, username(s))
  • Once your MR has been merged, you are responsible to update the #foodsharing-beta Slack channel about what has been changed here. They will test your work in different browsers, roles or other settings
Edited by David

Merge request reports