diff --git a/ChangeLog b/ChangeLog index 4c5f55bd2a68eb6efda0cf930999861c85d78ff7..74cc1368f25cea850139c3b182efe100a1890e5c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ train-2012.06.08 (in progress): * Support non-english passwords: issue #1631 * remove obsolete code - 'code_update' handler: issue #1645 + * allow sessions to persist for 4 weeks after a user confirms ownership of a device (was effectively 1 week): #1632 train-2012.05.25: * many KPI improvements: #1597, #1613 diff --git a/lib/configuration.js b/lib/configuration.js index 4c4957e57866824105433609fea062849e2d5bb1..abe731e59d8dd5d52b97a22ba29a69fbf3f5e205 100644 --- a/lib/configuration.js +++ b/lib/configuration.js @@ -138,7 +138,7 @@ var conf = module.exports = convict({ }, authentication_duration_ms: { doc: "How long may a user stay signed?", - format: 'integer = 1209600000' + format: 'integer = 2419200000' }, ephemeral_session_duration_ms: { doc: "How long a user on a shared computer shall be authenticated", diff --git a/lib/wsapi.js b/lib/wsapi.js index aa206d442e7c273efa70dcdf56c97ffb0bd853a4..004dd36d701558003b138c45ea2a7bb40c77797c 100644 --- a/lib/wsapi.js +++ b/lib/wsapi.js @@ -145,12 +145,10 @@ exports.setup = function(options, app) { var cookieSessionMiddleware = sessions({ secret: COOKIE_SECRET, cookieName: COOKIE_KEY, - duration: 7 * 24 * 60 * 60 * 1000, // 1 week + duration: config.get('authentication_duration_ms'), cookie: { path: '/wsapi', httpOnly: true, - // IMPORTANT: we allow users to go 1 weeks on the same device - // without entering their password again maxAge: config.get('authentication_duration_ms'), secure: overSSL }