Commit f96e9bf7 authored by Mike Jang's avatar Mike Jang

Merge branch 'sh-update-remember-me-docs' into 'master'

Add docs for "Remember me" login changes

See merge request gitlab-org/gitlab!33544
parents a7d11e42 32becd93
...@@ -250,7 +250,27 @@ When the `_gitlab_session` expires or isn't available, GitLab uses the `remember ...@@ -250,7 +250,27 @@ When the `_gitlab_session` expires or isn't available, GitLab uses the `remember
to get you a new `_gitlab_session` and keep you signed in through browser restarts. to get you a new `_gitlab_session` and keep you signed in through browser restarts.
After your `remember_user_token` expires and your `_gitlab_session` is cleared/expired, After your `remember_user_token` expires and your `_gitlab_session` is cleared/expired,
you will be asked to sign in again to verify your identity (which is for security reasons). you will be asked to sign in again to verify your identity for security reasons.
### Increased sign-in time
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/20340) in GitLab 13.1.
The `remember_user_token` lifetime of a cookie can now extend beyond the deadline set by `config.remember_for`, as the `config.extend_remember_period` flag is now set to true.
GitLab uses both session and persistent cookies:
- Session cookie: Session cookies are normally removed at the end of the browser session when the browser is closed. The `_gitlab_session` cookie has no expiration date.
- Persistent cookie: The `remember_me_token` is a cookie with an expiration date of two weeks. GitLab activates this cookie if you click Remember Me when you sign in.
By default, the server sets a time-to-live (TTL) of 1-week on any session that is used.
When you close a browser, the session cookie may still remain. For example, Chrome has the "Continue where you left off" option that restores session cookies.
In other words, as long as you access GitLab at least once every 2 weeks, you could remain signed in with GitLab, as long as your browser tab is open.
The server continues to reset the TTL for that session, independent of whether 2FA is installed,
If you close your browser and open it up again, the `remember_user_token` cookie allows your user to reauthenticate itself.
Without the `config.extend_remember_period` flag, you would be forced to sign in again after two weeks.
<!-- ## Troubleshooting <!-- ## Troubleshooting
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment