Skip to content

Logout after inactivity #11596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 45 commits into from
Sep 23, 2025
Merged

Logout after inactivity #11596

merged 45 commits into from
Sep 23, 2025

Conversation

Luke-Oldenburg
Copy link
Contributor

@Luke-Oldenburg Luke-Oldenburg commented Sep 5, 2025
edited
Loading

Summary of the problem

Closes #7258
Supersedes #7303 and #7408
Screenshot From 2025-09-04 21-51-22

Describe your changes

github-actions[bot]
github-actions bot reviewed Sep 5, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Sep 5, 2025
View reviewed changes
@Luke-Oldenburg Luke-Oldenburg marked this pull request as ready for review September 5, 2025 01:51
@Luke-Oldenburg Luke-Oldenburg requested review from a team as code owners September 5, 2025 01:51
github-actions[bot]
github-actions bot reviewed Sep 5, 2025
View reviewed changes
Luke-Oldenburg
Luke-Oldenburg commented Sep 6, 2025
View reviewed changes
sampoder
sampoder reviewed Sep 6, 2025
View reviewed changes
sampoder
sampoder reviewed Sep 6, 2025
View reviewed changes
sampoder
sampoder requested changes Sep 9, 2025
View reviewed changes
Copy link
Member

@sampoder sampoder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should be setting expiration_at and not bringing back peacefully expired. See #8950

@Luke-Oldenburg
Copy link
Contributor Author

The job malted wrote wouldn't have worked well because of the timing of expiration so I refactored the logic to signed_in_user in SessionsHelper.

sampoder
sampoder reviewed Sep 22, 2025
View reviewed changes
sampoder
sampoder approved these changes Sep 22, 2025
View reviewed changes
Copy link
Member

@sampoder sampoder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm! @davidcornu can you take a quick look?

@Luke-Oldenburg @sampoder
Update user_session.rb
c69562a 
Co-authored-by: Sam Poder <[email protected]>
davidcornu
davidcornu reviewed Sep 22, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Sep 22, 2025
View reviewed changes
Luke-Oldenburg and others added 3 commits September 22, 2025 20:03
@Luke-Oldenburg
Update spec
1e3a986
@Luke-Oldenburg @github-actions
Update app/models/user_session.rb
4af8235 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@Luke-Oldenburg
Fix spec
70a582d
github-actions[bot]
github-actions bot reviewed Sep 22, 2025
View reviewed changes
Luke-Oldenburg
Luke-Oldenburg commented Sep 22, 2025
View reviewed changes
davidcornu
davidcornu reviewed Sep 22, 2025
View reviewed changes
davidcornu
davidcornu reviewed Sep 22, 2025
View reviewed changes
davidcornu
davidcornu approved these changes Sep 22, 2025
View reviewed changes
Copy link
Member

@davidcornu davidcornu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Save for #11596 (comment), LGTM.

@sampoder sampoder merged commit ab1d1c4 into main Sep 23, 2025
13 checks passed
@sampoder sampoder deleted the lro-inactivity-logout branch September 23, 2025 00:34
garyhtou
garyhtou reviewed Sep 23, 2025
View reviewed changes
Copy link
Member

@garyhtou garyhtou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: Does this mean that someone would keep a session forever alive? I feel like we should at least force users to sign in every X period (maybe at least every months; or 2 weeks).

@Luke-Oldenburg
Copy link
Contributor Author

Question: Does this mean that someone would keep a session forever alive? I feel like we should at least force users to sign in every X period (maybe at least every months; or 2 weeks).

#11596 (comment)

@garyhtou
Copy link
Member

Thanks for surfacing that comment. I do strongly believe that there must be a hard time limit on sessions. We shouldn't allow sessions to exist forever.

@Luke-Oldenburg
Copy link
Contributor Author

I would agree with that.

@garyhtou
Copy link
Member

@sampoder, did you have any further thoughts here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garyhtou garyhtou garyhtou left review comments

@github-actions github-actions[bot] github-actions[bot] left review comments

@davidcornu davidcornu davidcornu approved these changes

@sampoder sampoder sampoder approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[User Session] Log out after X days of inactivity

4 participants

@Luke-Oldenburg @garyhtou @davidcornu @sampoder