Automatic Logouts Are Too Frequent

Summary

Logout is too aggressive

Steps to reproduce

Login to gitlab using github Wait 1 day Access the site again

What is the current bug behavior?

I get logged out!!!!

What is the expected correct behavior?

I don't get logged out. This is a huge hassle in using Gitlab. I am actively working on a project, I am on that site every day. Why does it log me out? Set that security token to 1 month expiry and auto-renew it every time I am on the page.

Possible fixes

Set that security token to 1 month expiry and auto-renew it every time I am on the page.

Boom you've increased usability of the site by 1000%

That's a really simple change. I honestly don't know why it's logging me out at all? Is your usual customer sitting in a library using a public PC? Normally we are on our devices, and they're locked down on their own, there's no need to log anyone out.

Proposal

There may be different reasons for this issue to occur. For this issue, we will focus on adding the "Remember Me" checkbox to the Group SAML sign-in. Due to the existing functionality of SAML on GitLab.com, this means we will still redirect through the SAML flow once every 24 hours.

mentioned in issue #121672 (closed)

@n131 - Is this logout after 1 day happening on a self hosted GitLab-CE/GitLab-EE instance or GitLab.com?

The default session duration is 7 days as documented at: https://docs.gitlab.com/ee/user/profile/#why-do-i-keep-getting-signed-out

My experience on GitLab.com is that I'm not logged out every day.

added devopsmanage groupauthentication and authorization [DEPRECATED] severity4 typebug labels

It's on Gitlab.com

@n131 - Can you add your browser details to this bug report? I'm not seeing the same behavior and do not see other bug reports for this. For reference, I am using Chrome 79 or Firefox 71 on Mac OS 10.15.

@jeremy - would this bug report be under ~"group::access" or some other group?

mentioned in issue #193026 (closed)

mentioned in issue #195098 (closed)

Setting ~"Category:Authentication and Authorization" based on ~"group::access".

Setting ~"Category:Authentication and Authorization" based on ~"group::access".

Setting ~"Category:Authentication and Authorization" based on ~"group::access".

added 1 deleted label

mentioned in issue #196462 (closed)

mentioned in issue #197796 (closed)

mentioned in issue #198977 (closed)

mentioned in issue #201613 (closed)

mentioned in issue #204650 (closed)

+1 happening to me as well, but more like weekly -- it's also disastrous UX for private-hosted as you just get a 404 with no login link

This is happening to my friend across multiple browsers -- whatever it is it is account bound

+1 here. Every day and across multiple browsers

It is really annoying. for every action I take I have to re-login.

Can confirm that this is happening for me on all my devices/browsers, despite selecting 'remember me'.

This is particularly annoying on the iPhone, where signing in, especially with 2FA, is already cumbersome. On iOS, gitlab.com logs me out after a day or maybe sooner. Not conducive to quickly entering issues on the go, especially as there isn't a native iOS app.

I'm experiencing getting logged out every day as well, if performing forensics on my account information would help. Also, I get a cloudflare warning "checking your browser" everytime I navigate to gitlab for the first time every day, so it's possible for that to be related.

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Edg/84.0.522.63

(But it happened in Chrome on a Mac before in the past as well)

added sectiondev label

Has this been fixed?? Or should we just get used to this annoying experience?? I have to sign in everyday!!

Is there any work planned to address that?

Same symptomps for me, every day, happens on Chrome:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36

@mushakov - Can you confirm this ~bug belongs on ~"group::access"? There seems to be a larger number of reports on this and the severity may need to be increased.

@kwiebers Yes this belongs to the access group

added UX label

added severity2 label and removed severity4 label

added priority2 label

This is happening for me as well. Very nice ... pause not

Please get on this @msnow1

Happens to me as well, logged in using Google (SSO)

Happens to me too on self hosted GitLab Community Edition 13.4.1. I noticed that my session cookie is always set to expiration date: Session which doesn't make much sense.

Temporay workaround: Manually setting the expiration date on _gitlab_session seems to work for me. Needs to be done on every device. Still annoying, though!

Happens to me also, only on mobile. On my Mac it works perfectly fine.

I think the issue is the cookie being stored as a single session cookie, forcing me to relogin everytime I close my browser's instance.

I cannot do as @hejfelix suggested, as I am on my mobile device.

added SLOMissed label

Can confirm this is happening for me as well on Firefox across multiple devices

Happens only on mobile Chrome and Safari for me.

Using GitLab.com.

Happens to me on my desktop computer - iMac 2019, Big Sur.

Used to happen on my laptop - MacBook, 2012, El Capitan (or whatever was latest version on that).

Doesn't happen on my new laptop - MacBook, M1, 2020, Big Sur.

@kwiebers is anyone looking into this ?

Thanks for the question @SBNox. Unfortunately, I'm not the direct responsible individual for scheduling and getting this bug investigated.

@mushakov @lmcandrew - Can you help clarify the status of this bug?

@SBNox @kwiebers I've set this to be tackled in the %Next 1-3 releases and will work with the engineering team to investigate it.

changed milestone to %Next 1-3 releases

added workflowplanning breakdown label

mentioned in issue #326347 (closed)

marked #326347 (closed) as a duplicate of this issue

marked this issue as related to #326347 (closed)

Copying some details here from my own experience - and from the closed duplicate:

• This logout happens very frequently for me, but in batches.
  • I see that most of the folks above are getting logged out once a day, but my experience is sporadically more extreme.
  • For example, I may not be logged out of GitLab at all for a week or so, and then for a few days, I will be logged out multiple times per day.

Here's an example of a very common situation for me:

1. I am logged in
2. I begin an MR review
3. I leave a comment or do some other action like leaving a reaction emoji
4. I continue the review - fewer than 5 minutes elapse
5. I try to leave another comment or a reaction - an error occurs, which doesn't inform me that I've been logged out.
   • Because I have dozens of experiences with this, I know to refresh the page, after which I see that the header bar is the "Log in / Sign Up" button instead of my profile image
   • However, none of the error messages indicate that I've been logged out, they just say that submitting my comment (etc.) has failed.
6. I log back in
7. Fortunately, comments are cached locally, etc. so I can pick right back up

One note: I recall this happening maybe once while creating an MR. The data on the create MR page is not cached, so the outcome is either lose everything entered there or have the cognizance to open a new tab, sign in, then open a new create MR page (which is now properly authenticated), copy everything over and submit there. Of course, while crossing your fingers that the new authenticated tab doesn't get logged out in the mean time

@thomasrandolph how are you logging into the platform exactly? Username/password? Social login, Okta, etc?

@m_gill Username/Password + Hardware 2FA (Yubikey).

On that note, I should say that Clicking the "Sign In" button causes a short load, and then "nothing" happens. I need to click "Sign in" again to get to the 2FA area (where it's waiting for the hardware generated code). Last time I tried logging in without hardware 2FA enabled, I don't recall this happening (6+ months ago?). So I naively suspect that hardware 2FA is causing issues with both requesting a login (by clicking "Sign in") and with staying logged in during an active session.

Not worth spending the time explaining the issue, this has been like that for over a year, and it is insanely simple to solve. Also, whatever you described is not what this post is about i believe.

Still happens to me frequently. This is so annoying, especially when 2 Factor Auth is buggy and you can't just simply log in every time.

Using GitHub to sign in too on all devices.

Are there any workarounds? I only see one for self-hosted gitlabs.

Same thing in Firefox and also noticed that the _gitlab_session is set to Session. Will try to update the Max-Age and see how it works.

A commercial customer https://gitlab.my.salesforce.com/0016100001VE9PH (Internal) is experiencing this throughout their organization on .com SaaS.

OK. I just got kicked out of Gitlab to reauthenticate in the middle of creating a new Merge Request. Really Not Cool! I know people are trying to make this happen through proper channels and processes, but this is seriously a bad experience. What else can we do to help get this fixed?

added customer label