devise: timeout and rememberable

Why was the timeout and rememberable compatibility removed?

def timedout?(last_access)
    return false if remember_exists_and_not_expired?

https://github.com/plataformatec/devise/blob/master/lib/devise/models/timeoutable.rb#L30 (removed in commit https://github.com/plataformatec/devise/commit/4ec7dc0f2777bde10125dcf6f72c536232086665)

Current behavior

Timeout and Rememberable do not work together. The shorter one overrules the longer one.

Expected behavior

I would expect rememberable to control sessions via cookie, while timeoutable can still control session time without cookies. (This is both relevant for http, where cookies are disabled on secure: true, as well as for users who explicitly choose not to select remember me).

At the moment, when I want to use rememberable, I have not control what so ever on session time, just on the session cookie expiration time.

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 5
Comments: 17 (3 by maintainers)

Most upvoted comments

I don’t know if anyone is still watching this or not, but after coming across the same weird issues with timeoutable and rememberable not playing nicely, I dug in and figured out what the (or an?) issue is.

By default devise comes with the following lines in the initializer:

# Options to be passed to the created cookie. For instance, you can set
# secure: true in order to force SSL only cookies.
# config.rememberable_options = {}

So if you uncomment the line and add “secure: true” to the hash it basically renders rememberable useless in local development because the default “rails server” command only uses http so the secure https cookie gets ignored. Once I commented that line out again timeoutable and rememberable started playing nicely together again 😄

So I’ve added the following to my project:

config.rememberable_options = {}
config.rememberable_options[:secure] = true if Rails.env.production?

So now it works without the secure cookie locally and then uses the secure cookie in production.

Hope that helps someone!

basabin54 on Sep 14, 2019

Hi folks,

I’m trying to understand this issue and I wasn’t able to reproduce it in a new app using the last Devise version (4.6.0).

Things that I’ve tested:

With timeoutable turned off and rememberable turned on

Sessions never expires unless the user marks the remember me option.
If the user marks the remember me option, the user is going to be logged out once the rememberable time expires.

With timeoutable turned on and rememberable turned on

The session is going to expire according to the time configured in config.timeout_in if the user didn’t mark the remember me option.
If the user marks the remember me option, the user is going to be logged in even if the timeoutable time expires but the rememberable doesn’t.
If the time configured in timeout_in is higher than the one configured inremember_for, the user is going to be logged out only when the timeout_in expires.

If I understood it correctly, there are no issues using timeoutable and rememberable together and as @JanBussieck pointed out, this logic was moved to timeoutable hook.

Could someone provide an application that reproduces this issue in isolation or give instructions to reproduce this issue?

feliperenan on Feb 20, 2019

We are not able to reproduce the issue with a newly created Rails application. Are you testing with your app or have you created a new one to test this in isolation?

I’m going to attach here the app that I’m using so that you can see if I’m missing something:

remeber-timeout.zip

There’s also this Gif showing how I’m testing:

remember-timeout

You can see that I issue the last request to users/edit at 18:27:24 and wait until 18:28:17 (almost one minute) to try to reload the page, and it still works.

tegon on Feb 20, 2019

I am junior Rails developer. I use Devise for every project. Can I pick this up?

prithvi16 on Aug 13, 2018