Rick -
Within the wwProcess::Authenticate() method, there is the following code..
IF Request.IsChecked("WebLogin_chkRememberMe")
*** Keep the cookie around
THIS.oResponse.AddCookie(this.cSessionKey,Session.cSessionId,"/",MimeDateTime(DATE() + 5))
ENDIF
It would be useful if the default of 5 days for the cookie expiration date could be #DEFINE'd in wconnect.h so it could easily be re-defined.
- Mike McDonald
Ok, finally had some time to look at this. Added wwProcess::nAuthenticationTimeoutMinutes which allows you to specify the timeout in minutes.
+++ Rick ---
Rick -
Added wwProcess::nAuthenticationTimeoutMinutes which allows you to specify the timeout in minutes.
Thanks for the new property. That will help me with a small personal project I'm converting to use all SQL data, as well as implementing the MVC pattern.
What is the cookie timeout for the Message Board? I had to Sign In today even though I last posted on January 21st and I last visited the support.west-wind.com site on the 22nd.
I guess the cookie expiration date doesn't update just by posting or visiting the site. I find that I have to Sign In frequently, even though I'm checking the board fairly often.
- Mike McDonald
Hello, my 2 cents .. cookies are linked to the browser
The cookie is good for 7 days. No rolling renewals so after 7 days you'll have to log back in. I bumped this to 15 days because I see it also and it bugs me from time to time too.
As Marcel says if you use different browsers - especially two Chromium browsers (I use Brave and Chrome interchangeably a lot) - I think the cookies are specific to each. In my case I probably sometimes log in with Chrome or Brave adn then wonder why the time out is up 😃
+++ Rick ---
Rick -
In wwProcess::Authenticate() there is a SET STEP ON
statement.
- Mike McDonald
Rick -
The cookie is good for 7 days (changed to 15).
Has something more recently changed with the Message Board cookie timeout? I'm having to Sign In every day now, and actually multiple times today when I was testing my app while also waiting to reply to another message. That is, I started to Reply, but by the time I tried to post my message a while later, I was already logged out / expired.
It looks like the WWT
cookie was set to expire maybe 20 minutes after my most recent login.
- Mike McDonald
Yes the way the cookie is process has changed, but the new cookie should be much longer.
Can you do a full refresh of your browser (Ctrl-Shift-F5) and perhaps clear out your cookies for west-wind.com
. I've made this change about 2 weeks ago and since then I've not had to log in again. The timeout has been bumped to 25 days.
I use 3 different browsers on a regular basis and they all seem to work with logins sticking so I wonder what's different?
To troubleshoot this might help:
- Use the Chrome (or whatever) dev tools (F12)
- Find the Application tab, Cookies
- Clear the
wwt
cookie - Come back to the message board (you should be logged out)
- Sign back in
- Check the cookies and see what the cookie expiration is
The only thing I can think of is that you had an old cookie to happened to be expiring as you were using the site.
+++ Rick ---
Rick -
OK, I disabled the (Chrome) browser cache and reloaded the page fully. Then I removed the wwt cookie, shut down the browser completely and went back to the initial message board page.
Before logging in, I checked my cookies, and wwt was there, with an expiration date of April 3rd (31 days out) with the current time.
After logging in, the same wwt cookie was there (that is, it had the same 16 digit value as before), but now it had an expiration date of March 4th (today) with the time set to 20 minutes out.
I went through this process twice with the same results.
One other difference - when first visiting the site after having deleted the cookie, it was set as HttpOnly, but once I logged in, it was not set as HttpOnly.
- Mike McDonald
It took some sleuthing to track this down - everything looked right, but there's a small bug in the wwPageResponse::AddCookie()
method when you pass a preformatted MimeDate() it doesn't use it, but rather uses the default cookie timeout. Easy fix - I pass the expiration as a DateTime or number and now the cookie properly sets and should stay set for 30 days.
Give this another shot - sign out and sign back in then check your cookie. It should be a month out.
Fixed another related issue that comes up when re-authenticating while a session is still active - it wasn't using the cookie timeout for the re-auth, which resulted in a short cookie again. InitSession()
now sets the cookie timeout for the process to ensure they are the same.
Thanks for your help - a couple of those were bugs in Web Connection.
+++ Rick ---
Rick -
OK I tried this again - I deleted my WWT cookie and hit the message board. I got a cookie which was set to expire on April 4, 2019 (30 days out).
Then I logged in and had the same cookie value for WWT, but now it was set to expire on February 7, 2024 (five years out), and using HttpOnly this time.
- Mike McDonald
Hmmm... the long timeout cookie is the NEVER
clause which is enabled, but also there is a 30 day timeout. I'm not sure how you're hitting the NEVER timeout. I've tried in a number of different ways but I can't get anything but the 1 month timeout now.
+++ Rick ---
Rick -
I only get the 5 year expiration date if I check the "Remember me on this device" checkbox. If I don't check it, the cookie remains at the 30 day expiration date, and it remembers my login anyway - I can close my browser and go back to the site and I'm still logged in.
The login form has two inputs named "WebLogin_chkRememberMe". One is a 'hidden' input with a value of 'false', and the other is a 'checkbox' input with a value of 'true' (if checked). Both have the same name of "WebLogin_chkRememberMe".
I wonder if my browser (Chrome) is sending those formvars back in a different order than your browser, so you are seeing a different behavior?
- Mike McDonald
Argh - yes found it.
My calculation for the timeout was based on seconds but the session timeout is given in minutes. The 5 years is 60 times what the timeout should have been 😃
Ok I think now this is fixed.
+++ Rick ---
Rick -
Yes, I'm seeing the correct cookie expiration dates now, and when I don't check the 'Remember me' checkbox, it expires in 20 minutes instead of 30 days as it was doing previously. All good..
- Mike McDonald
Thanks...
Although this is still not quite right. There should be no expiration date when the Remember Me setting is not set with the cookie set to expire with the browser session, but I think this is due to the default Session behavior in Web Connection which defaults to 20 minutes.
That needs more investigation and is a deeper (legacy) issue.
+++ Rick ---