Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable persistent session for user convenience and security #7180

Open
aphilop opened this issue Sep 3, 2024 · 1 comment
Open

Enable persistent session for user convenience and security #7180

aphilop opened this issue Sep 3, 2024 · 1 comment
Labels
Feature Brand new functionality to be added to UWAZI Priority: Medium

Comments

@aphilop
Copy link

aphilop commented Sep 3, 2024

Problem description
Currently, users must re-authenticate frequently due to the lack of a persistent session feature. This could lead to user frustration, particularly for those who use the application multiple times. Users should be able to control whether to stay signed in across sessions so they can balance convenience and security according to their needs.

Solution description
Introduce a persistent session feature with an option for users to stay signed in across sessions upon signing in. This feature should allow users to stay signed in for a configurable duration, balancing convenience with security. The solution should include necessary security measures to mitigate potential risks associated with persistent sessions.

Scope of the solution

  • Provide a way for the users to enable this feature while signing in to the application, e.g.

    1. Add a checkbox on the login screen for "Stay signed in" or similar wording. By default, this checkbox should be unchecked for enhanced security.
    2. Add an extra step in the login process to make the activation of the feature more explicit

  • Provide a prompt to users explaining the benefits and risks of staying signed in, especially on shared or public devices.

  • When persistent session is enabled, the session should persist for a configurable duration (e.g., 14-30 days) unless the user explicitly logs out or clear cookies.

  • If persistent session is not enabled, the session should follow the default timeout policy (session and idle timeout).

  • Require re-authentication for sensitive actions even if the user is in a persistent session.

  • Notify users when their session is about to expire and provide an option to extend the session without needing to re-authenticate.

  • Implement analytics to track the usage of the persistent feature and monitor patterns of login behavior for security analysis.
@RafaPolit RafaPolit added Feature Brand new functionality to be added to UWAZI Priority: Medium labels Sep 6, 2024
@juanmnl
Copy link

juanmnl commented Sep 16, 2024

We are adding a "Stay logged in" checkbox so users can choose to have their session persisted in a common pattern, and modifying the first input label from "User" to "Username".

login - empty login - filled

Design

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Brand new functionality to be added to UWAZI Priority: Medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@juanmnl @RafaPolit @aphilop