FEATURE: Add support for not persistent sessions

In some cases Discourse admins may opt for sessions not to persist when a browser is closed. This is particularly useful in healthcare and education settings where computers are shared among multiple workers. By default `persistent_sessions` site setting is enabled, to opt out you must disable the site setting.
2020-09-11 15:11:13 +10:00 · 2020-09-11 15:11:13 +10:00 · 44fba9463b
parent 9e4ed03b8f
commit 44fba9463b
4 changed files with 16 additions and 1 deletions
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -1543,6 +1543,7 @@ en:
    invite_code: "User must type this code to be allowed account registration, ignored when empty (case-insensitive)"
    approve_suspect_users: "Add suspicious users to the review queue. Suspicious users have entered a bio/website but have no reading activity."
    pending_users_reminder_delay: "Notify moderators if new users have been waiting for approval for longer than this many hours. Set to -1 to disable notifications."
+    persistent_sessions: "Users will remain logged in when the web browser is closed"
    maximum_session_age: "User will remain logged in for n hours since last visit"
    ga_universal_tracking_code: "Google Universal Analytics (analytics.js) tracking code ID, eg: UA-12345678-9; see <a href='https://google.com/analytics' target='_blank'>https://google.com/analytics</a>"
    ga_universal_domain_name: "Google Universal Analytics (analytics.js) domain name, eg: mysite.com; see <a href='https://google.com/analytics' target='_blank'>https://google.com/analytics</a>"
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -478,6 +478,7 @@ login:
  pending_users_reminder_delay:
    min: -1
    default: 8
+  persistent_sessions: true
  maximum_session_age:
    default: 1440
    min: 1
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -224,10 +224,13 @@ class Auth::DefaultCurrentUserProvider
    hash = {
      value: unhashed_auth_token,
      httponly: true,
-      expires: SiteSetting.maximum_session_age.hours.from_now,
      secure: SiteSetting.force_https
    }

+    if SiteSetting.persistent_sessions
+      hash[:expires] = SiteSetting.maximum_session_age.hours.from_now
+    end
+
    if SiteSetting.same_site_cookies != "Disabled"
      hash[:same_site] = SiteSetting.same_site_cookies
    end
--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@ -323,6 +323,16 @@ describe Auth::DefaultCurrentUserProvider do
    expect(provider("/topic/anything/goes", params.merge("HTTP_DISCOURSE_PRESENT" => "true")).should_update_last_seen?).to eq(true)
  end

+  it "supports non persistent sessions" do
+    SiteSetting.persistent_sessions = false
+
+    @provider = provider('/')
+    cookies = {}
+    @provider.log_on_user(user, {}, cookies)
+
+    expect(cookies["_t"][:expires]).to eq(nil)
+  end
+
  it "correctly rotates tokens" do
    SiteSetting.maximum_session_age = 3
    @provider = provider('/')