You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During discovery around the setting SESSION_INACTIVITY_TIMEOUT_IN_SECONDS, we noticed that our current configuration around SESSION_COOKIE_AGE isn't working as we thought, and this ticket is to learn more about our current settings.
Additional notes:
It may be that SSO to edX Stage using OneLogin updates our login cookies, so testing in Stage, Prod, etc. may require test accounts that don't use SSO.
When @jristau1984 did testing in Stage (or possibly Prod), he used a test (non-SSO) account, waited over 2 weeks (current configuration for SESSION_COOKIE_AGE), saw the cookies expire and disappear in the browser, and returning to an MFE tab was able to see the session restored.
This finding was quite mysterious.
Can others duplicate this? Possibly in other environments like devstack. If so, what can revive the session and session cookie after the session cookie has disappeared?
MFEs use the JWT cookie (currently lasting an hour). When the JWT cookie has expired, but the session cookie is still active, an MFE can create a new JWT cookie (via login_refresh).
Does the session cookie expiration get updated at the same time? This probably extends the session life.
Does this work as a sort of session extension with MFE session activity?
It may make sense to first test in devstack with MFEs and shorter timeouts.
We decided that additional experimentation with the separate setting SESSION_INACTIVITY_TIMEOUT_IN_SECONDS doesn't make sense until we understand how the current setting of SESSION_COOKIE_AGE works (or doesn't work). Once we have more information, it could make sense to further research SESSION_INACTIVITY_TIMEOUT_IN_SECONDS in devstack as a follow-up ticket.
During discovery around the setting
SESSION_INACTIVITY_TIMEOUT_IN_SECONDS, we noticed that our current configuration aroundSESSION_COOKIE_AGEisn't working as we thought, and this ticket is to learn more about our current settings.Additional notes:
SESSION_COOKIE_AGE), saw the cookies expire and disappear in the browser, and returning to an MFE tab was able to see the session restored.login_refresh).SESSION_COOKIE_AGEis tuned to less than an hour, you would also have to tune the JWT cookie settings as well. See Test out the impact of a shorter inactivity timeout value on edx STAGE env #909 (comment) for details.SESSION_INACTIVITY_TIMEOUT_IN_SECONDSdoesn't make sense until we understand how the current setting ofSESSION_COOKIE_AGEworks (or doesn't work). Once we have more information, it could make sense to further researchSESSION_INACTIVITY_TIMEOUT_IN_SECONDSin devstack as a follow-up ticket.The text was updated successfully, but these errors were encountered: