User/password signin without the "Remember me" checkbox enabled is broken
Summary
When I sign into my EE GDK instance using root / 5iveL!fe
without "remember me" checked, the cookie seems to last for a very short time indeed. It lives long enough to get me to the dashboard, but if I follow another link immediately after, it treats me as an unauthenticated user.
Checking the "remember me" box on login allows the cookie to persist for longer.
Steps to reproduce
- Sign in with username / password, ensuring "remember me" is unchecked
- Wait a second or two, then click the "admin" link
My browser is Firefox, set up with some fairly extreme privacy settings:
However, signing in without "remember me" works fine in CE and used to work in EE.
My CE/EE setups aren't exactly the same, as my CE install uses 2FA as well, but I don't think that's masking the bug, whatever it is. More likely to be a bad merge into EE.
What is the current bug behavior?
302 Redirect to login page
What is the expected correct behavior?
200 OK admin dashboard
Relevant logs and/or screenshots
Possible fixes
We don't get as far as authenticate_admin!
in Admin::DashboardsController
so the cookie must be expiring or being considered invalid somehow.