Opened 11 years ago

Closed 9 years ago

#1030 closed enhancement (fixed)

[PATCH]automatic logon to OSM site

Reported by: paul@… Owned by: Tom Hughes
Priority: minor Milestone: Wishlist
Component: admin Version:
Keywords: Cc: chippy2005@…

Description

could we allow automatic logon to the OSM website.. presumably the site could just use the current cookies and the userids profile page just needs to be updated to give user an option to logon automatically.

Attachments (1)

remember_me.patch (4.1 KB) - added by chippy 10 years ago.
patch to enable automatic browser login via cookie

Download all attachments as: .zip

Change History (13)

comment:1 Changed 10 years ago by chippy

Cc: chippy2005@… added

Changed 10 years ago by chippy

Attachment: remember_me.patch added

patch to enable automatic browser login via cookie

comment:2 Changed 10 years ago by chippy

The above remember_me.patch (rails_port_branches/api06/) allows a user to log onto the website via setting a cookie. On login page, a checkbox is added labelled "remember me", If this is checked, the user logins and later closed the browser, closing the session, the user can login later automatically using the cookie. Clicking "logout" deletes that cookie value, and the user has to log in manually as before. Default cookie remember time is 2 weeks.

comment:3 Changed 10 years ago by chippy

Summary: automatic logon to OSM site[PATCH]automatic logon to OSM site

comment:4 Changed 10 years ago by paul@…

can we make default remember 5 weeks (eg 1 month)

comment:5 Changed 10 years ago by Thomas Wood

I've just realised a patch had been written, I'd been hitting a brick wall trying to work out how rails handled cookies for weeks in late Feb/March?, trying to write this feature, I should have just looked at trac!

comment:6 Changed 10 years ago by Tom Hughes

It's ridiculously complicated though - all we need to do is set the expiry on the existing cookie surely?

comment:7 Changed 10 years ago by chippy2005@…

There could be some simplifications: The four methods in the User model could be unfactored back into two. The little check box on the login view could be removed along with a couple of lines in user_controller that deals with it but this would take away the ability for a user not to let the cookie log them in automatically.

comment:8 Changed 10 years ago by Tom Hughes

The checkbox is fine, it's all the backend behind it that seems wrong to me.

We already have a browser cookie with a session ID that tells us who the user is, so why do we need a new cookie and new database columns to track that token? Why not just set the expiry on the existing session cookie?

comment:9 Changed 10 years ago by chippy

Mainly because we use sql_session_store to store sessions, and sessions are meant to expire when the browser is closed afaik, so we wouldn't be able to use the session ID, as it no longer exists. We can increase session expiry for this session storage option, but from what I gather, it would affect all users. So, we need to use something to authenticate a user based on a cookie that hangs around after the browser is closed and session ends, and we need to check to make sure that the cookie matches up with the specified user, the user has set themselves to be remembered, and that the cookie hasn't expired.

comment:10 Changed 10 years ago by Tom Hughes

There is no particular reason why sessions have to expire when the browser is closed - that's just the way it is at present.

Yes I know, from looking at Edgemaster's patch, that there is an issue with there only being a global setting, but that just means we need to do some monkey patching or something ;-) Actually we have sql_session_store in our repo now so we just can just flat out patch it if we want.

comment:11 Changed 10 years ago by Tom Hughes

Milestone: Wishlist

comment:12 Changed 9 years ago by tomhughes

Resolution: fixed
Status: newclosed

(In [20147]) Add a "remember me" box to the login screen that causes you to stay logged in across browser restarts - you will only be logged out if you don't visit for a month. Closes #1030.

Note: See TracTickets for help on using tickets.