From 35b10b323ac5604bcf5db55ea8fd4802c6873fed Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Tue, 29 May 2012 08:39:27 +0300
Subject: [PATCH] increase authenticated session duration to 4 weeks (was
 effectively 1 week): issue #1632

---
 ChangeLog            | 1 +
 lib/configuration.js | 2 +-
 lib/wsapi.js         | 4 +---
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 4c5f55bd2..74cc1368f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 train-2012.06.08 (in progress):
   * Support non-english passwords: issue #1631
   * remove obsolete code - 'code_update' handler: issue #1645
+  * allow sessions to persist for 4 weeks after a user confirms ownership of a device (was effectively 1 week): #1632
 
 train-2012.05.25:
   * many KPI improvements: #1597, #1613
diff --git a/lib/configuration.js b/lib/configuration.js
index 4c4957e57..abe731e59 100644
--- a/lib/configuration.js
+++ b/lib/configuration.js
@@ -138,7 +138,7 @@ var conf = module.exports = convict({
   },
   authentication_duration_ms: {
     doc: "How long may a user stay signed?",
-    format: 'integer = 1209600000'
+    format: 'integer = 2419200000'
   },
   ephemeral_session_duration_ms: {
     doc: "How long a user on a shared computer shall be authenticated",
diff --git a/lib/wsapi.js b/lib/wsapi.js
index aa206d442..004dd36d7 100644
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -145,12 +145,10 @@ exports.setup = function(options, app) {
   var cookieSessionMiddleware = sessions({
     secret: COOKIE_SECRET,
     cookieName: COOKIE_KEY,
-    duration: 7 * 24 * 60 * 60 * 1000, // 1 week
+    duration: config.get('authentication_duration_ms'),
     cookie: {
       path: '/wsapi',
       httpOnly: true,
-      // IMPORTANT: we allow users to go 1 weeks on the same device
-      // without entering their password again
       maxAge: config.get('authentication_duration_ms'),
       secure: overSSL
     }
-- 
GitLab