Clarifying GitLab session behavior

Summary

Our session behavior is a bit confusing. This issue is a description of how it works today.

The outcome of this issue could be simplifying this behavior and/or documenting it more completely at https://docs.gitlab.com/ee/user/profile/#session-duration

Background

If you look at the issues in this epic: &9368

We have a lot of folks complaining about losing their sessions. Primarily on mobile.

This resulted in an exploration of our session behavior and any edge cases that may result from how things work today. Here is what I have learned so far.

"Remember me" checkbox during login

• Devise's remember_for value defaults to 2 weeks
• When a user logs in with remember_me checked, the remember_created_at attribute is set on that user record.
• When a user logs in with remember_me checked, a persistent cookie remember_user_token is created in the browser. When you use the 'sign out' button that remember_user_token cookie is removed.
• When a user is found via a cookie, Devise checks if the cookie "should be remembered" based on the value of User#remember_created_at and remember_for
• When the Devise extend_remember_period setting is true, the user's remember period is extended whenever the user is remembered via a cookie. We have this set to true for GitLab.com
• So, when a user sets remember_me, their session cookie will be extended indefinitely as long as they are active within a 2 week period.

session_expire_delay Application Setting

We also have an application setting called session_expire_delay. That is used as follows:

• current_user defined in Devise
• Calls to Warden's authenticate method, which calls the set_user method
• In config/initializers/warden.rb, we call ActiveSession.set within the Warden::Manager.after_set_user hook.
• ActiveSession.set sets the session expiry to Settings.gitlab['session_expire_delay'] * 60.
• Settings.gitlab['session_expire_delay'] has a default value of 10080, which is 1 week in minutes.
• After leaving 'remember me' unchecked and quitting the browser, the browser forgets the _gitlab_session cookie and is signed out. Note that the _gitlab_session token still exists in Redis so if an attacker gets your _gitlab_session token before it expires they still have full access.

Questions

1. What happens if a user starts multiple sessions but doesn't have remember_me checked during a 2nd login? Does that cancel remember_me for all of their sessions because in unsets User#remember_created_at? (I think it does. Which is...interesting and maybe unexpected).
2. Right now, the default value for session_expire_delay is 1 week and the default value for remember_for is 2 weeks.. If remember me is checked during login, the remember_user_token cookie is created and valid for up to 2 weeks of inactivity. But if a user is inactive for 1 week, their session will already be revoked due to session_expire_delay...I think? If this is the case, we should update all docs references to being signed out after "2 weeks of inactivity" because it is really 1 week of inactivity.
3. I am a bit confused about why we have session_expire_delay as an application setting that is separate from remember_for (set via devise config) . These serve 2 different functions but it's confusing that a session could expire on a different timeline than the current user is remembered. This confusion is reflected in the docs here, which states "Stay signed in for two weeks: By default, you are signed out of GitLab after seven days (10080 minutes) of inactivity or until you close your browser window, whichever comes first."