User/password signin without the "Remember me" checkbox enabled is broken

Summary

When I sign into my EE GDK instance using root / 5iveL!fe without "remember me" checked, the cookie seems to last for a very short time indeed. It lives long enough to get me to the dashboard, but if I follow another link immediately after, it treats me as an unauthenticated user.

Checking the "remember me" box on login allows the cookie to persist for longer.

Steps to reproduce

  • Sign in with username / password, ensuring "remember me" is unchecked
  • Wait a second or two, then click the "admin" link

My browser is Firefox, set up with some fairly extreme privacy settings:

Screenshot_from_2017-07-04_15-30-07

However, signing in without "remember me" works fine in CE and used to work in EE.

My CE/EE setups aren't exactly the same, as my CE install uses 2FA as well, but I don't think that's masking the bug, whatever it is. More likely to be a bad merge into EE.

What is the current bug behavior?

302 Redirect to login page

What is the expected correct behavior?

200 OK admin dashboard

Relevant logs and/or screenshots

Screenshot_from_2017-07-04_15-25-19

Screenshot_from_2017-07-04_15-25-42

Screenshot_from_2017-07-04_15-25-34

Screenshot_from_2017-07-04_15-25-57

Screenshot_from_2017-07-04_15-26-01

Possible fixes

We don't get as far as authenticate_admin! in Admin::DashboardsController so the cookie must be expiring or being considered invalid somehow.

Edited by Nick Thomas