Logins via OAuth2 without GitLab 2FA get logged out in an hour
As reported in https://gitlab.com/gitlab-com/support-forum/issues/3757, it looks like the cookie expiration time is 1 hour even though the backend session TTL is set to 7 days.
This is a regression in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/20700. Here's how to reproduce:
- Disable 2FA in GitLab
- Login via an OAuth provider
- View your session cookie:
_gitlab_session_XXX
will have an expiration time of 1 hour.
When 2FA is enabled, an extra request goes to POST /users/sign_in
, which sends back an updated session cookie without an expiration date.
One way we could fix this is to override the limit_unauthenticated_session_times
method in OmniauthCallbacksController
. I don't really like that fix because the user isn't technically authenticated until the callback is complete, but as far as I know there's no way to ensure the callback URL will be a POST request; it has to be a GET, and the Set-Cookie
header should only be done on a POST request.