-
-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chrome add-on does randomly logout #236
Comments
Normally I configure the JWT token to be valid during one week. Thanks for the feedback |
Thanks for your quick response! Since the add-on is usually installed on a personal device and the lesspass account contains no passwords, I wonder whether the token could be valid for even longer than a week. I'm thinking of a period of up to 6 month - comparable with this of a google or facebook login. Another option would be a 'keep me logged in' checkbox. I think this sounds like a small feature but this could have an great impact on usability and simplicity of the workflow. |
@tim-peters if you open the app at minimum once a week, the token is refreshed and you're good for another week -> https://github.com/lesspass/pure/blob/master/src/store/actions.js#L10-L17 |
After some investigation, backend invalidate token after a server reboot |
For me this is still one of the greatest usability hiccups. I do use the lesspass add-on on multiple devices. Because of that there can be several days (up to weeks) between each usage on one device. Since the token has a lifespan of just one week I almost ever have to login to my lesspass account first before I can start to type my master password to generate the password for a specific site. This feels like I have to login twice. Could you at least increase the lifespan of the token to 4 weeks? Even better would be to have a checkbox to make it permanent (like the 'keep me logged in' checkbox on most sites). |
Hello @tim-peters, |
The annoying thing is when you have to authenticate on one of your trusted device such as your smartphone/laptop. Should we increase the lifetime of the session or find a way to ease authentication on such devices? I think that our identity is intrinsic to ourselves and find it pretty awkward the need to prove that I'm still myself every time I want to log-in into a service. |
I agree with @edouard-lopez and @tim-peters on this one, I think that increasing the token to a month is nice, but why not a year though ? Another solution may be to keep a "local" storage for datas, this way you don't have to fetch the old data from the server but I think it's not as great. @guillaumevincent I don't know if you try to keep the tokens after a server reboot, but if you do, a one-month token + keep sessions seems nice |
Sometimes, and I mean most of the times, Lesspass logs me out of my master password within 5-15 minutes of logged in time. I am not sure if it is problem with the browser or the lesspass add-on. I have clear local storage and cookies on exit set in my browser. Does this affect lesspass? Also, what is the default behavior? Does lesspass maintain session on browser re-load (within 7 days as mentioned above?) |
@nodejs-practice login information are saved in local storage, so yes when you clear local storage, you logout automatically in the same time |
+1. I use lesspass extension in many different browser+os+device combinations, and it's really annoying having to login again and again. |
Since this issue remained open for more than a year now, maybe a quick recap of the results of our discussion:
I would really suggest to high prioritize this issue (imho it's a huge show stopper for non-regular or new users) |
Hello @tim-peters, sorry for this |
I encounter the bug today I will fix this as soon as possible |
Love lesspass using it everyday but indeed this issue is very annoying I guess as the android and chrome clients rely on the same backend, I encountered the same problem with both clients. |
Ah yes I can investigate in this direction. So basically authenticating yourself in the Android app, force you to authenticate again on the web extension? |
@guillaumevincent The issue is more about having random logouts. Although I tried the issue you described, I was logged in in the chrome extension and logout in the android app, then signed in the android app but I remained connected in the chrome extension, so it does look like we have this issue. Thanks a lot for investigating on that. |
@guillaumevincent telling user they need to log-back-in might reduce frustration as one will start filling the form right away then realize they are offline and need to start again. |
Hum, I would like to have the token working properly even after a restart of the containers. I will update the python modules in the containers to see if there is some improvment |
It will be fixed by 7750813 |
Unfortunately this appears not be fixed yet (on the opposite my subjective impression is that it got even worse). I still have to re-authenticate again almost every second time I use one of the browser addons. The credentials that are stored on the lesspass server are worthless without my master password. Therfore I would argue that they are not really sensitive data (in terms of security not privacy). Accordingly usability should be the main focus here. Best case would be, that I have to authentice only once and after that always only need my master password to generate all the individual passwords. Please, make the addons stop asking me to re-authenticate to lesspass all the time. This is really annoying :) |
@tim-peters can you give me :
I'm on Firefox 79.0 with LessPass Web Extension 9.2.0 When I reopen the web extension after being authenticated, I don't have to authenticate again. Today the actual behaviour is the following: If you use LessPass at least once a week, you will be authenticated forever: see https://github.com/lesspass/lesspass/blob/master/containers/backend/lesspass/settings.py#L132-L134 |
@guillaumevincent After authenticating yesterday the login was still persistent this morning. But today during the day I had to re-authenticate several time on all devices / add ons. I wish it would be as you describe as 'actual behaviour'. I use:
|
This is really strange, do you have a web extension that clean your local storage ? |
Not that I know of. And this would only explain my web browser's extension not the android app, right? |
Even after extensive testing with different browsers and devices, I can safely say that I still get randomly logged out of Lesspass after less than a week. I then have to enter my credentials again even, just to access non-critical data like sites and usernames. That just doesn't make any sense and is really annoying. And again: Even one week would be way to short. The standard for such non-critical logins (before automatically being logged out) ist between 3 Month and 2 Years (take Facebook or Google as an example). Please consider setting the auto logout time significantly higher. It would improve the overall UX a lot! |
+1. This is the only reason I'm actually considering moving to another application from time to time. Having to authenticate every single time just to get non-critical information is really frustrating. |
sharing the same frustration, make the use of the app unpractical. |
@Laski @canercandan I would be happy to fix the issue, but I can't reproduce it If I understand you correctly, you have disconnections from time to time, right? The workflow is:
|
@guillaumevincent it's more like several days than 15 minutes. If it can help : when you click the extension:
|
Can it be 7 days ? https://github.com/lesspass/lesspass/blob/master/containers/backend/lesspass/settings.py#L146
Oh I think I have an idea. Before we mount the component we try to get password profiles.
If the API returns an error, because refresh token is not valid (7 days after) then we logout: https://github.com/lesspass/lesspass/blob/master/packages/lesspass-pure/src/store/actions.js#L52 This is why you see this little glitch authenticated, not authenticated but it continues to works, because we refreshed the token. https://github.com/lesspass/lesspass/blob/master/packages/lesspass-pure/src/api/http.js#L18-L52 I'm going to fix this as soon as possible. I apologize for this bad code. thank you @jdeniau |
@guillaumevincent It might be seven days, but I'm not sure, I would say "several days" yes though. Nice if my comment did help ! You are doing a wonderful job, no need to apologize 👍 |
getPassword action logout on error. This is bad because the error can be because of access_token expired. This patch will: * display a spinner is refresh token is found on localStorage * try to refresh the access token and the refresh token with the refresh token * authenticate the user if ok and get password profiles * finally set loading to false to display password generator view Fixes #236
I pushed a new version on Chrome store and Firefox AMO |
Thanks for the quick fix! Keep up the good work |
Thank you so much @guillaumevincent! you're doing an amazing job! |
❤️ I just hope this time I fixed it correctly |
The lesspass Chrome add-on is quite handy because it automatically detects what site I'm on and suggests the domain and username field according - if the user is logged in to lesspass.
Unfortunately I get automatically logged out of lesspass from time to time. So I have to enter my lesspass username and password (to login to lesspass) and my master password for the website just to get my password. This is quite annoying and absolutely not necessary from a security perspective (domain and username are not that sensitive).
Is the auto-logout a normal behavior?
I do use the lesspass add-on with the same account on different PCs. Could this have anything to do with that?
The text was updated successfully, but these errors were encountered: