Missing documentation for "remembering sessions"

I am confused why I am getting logged out although I clicked the “remember this session” button. There are some threads here that kind of explain why that might be. Still I am confused and I am sure that less “tech-literate” people immediately think that this is a bug and the software is not working as it should. (I am also not sure if it is, but it seems to be connected with my browser settings I suppose)

https://help.passbolt.com/search.html?query=session as you can see there is no documentation about it at all.

I just realized the wording in the extensions even is “remember until I log out”. Which is not the case at all and very confusing :slight_smile:

See my previous answer here; Logouts after ~60 Minutes

This is how the code works at moment: it checks every 15 minutes if the browser is idle, using this browser functionality reserved for extensions, which returns "locked" if the system is locked, "idle" if the user has not generated any input for a specified number of seconds, or "active" otherwise.

MDN Web Docs

idle.queryState()

Returns “locked” if the system is locked, “idle” if the user has not generated any input for a specified number of seconds, or “active” otherwise.

So if there is no input, the extension will not try to keep the session alive, and will just let it timeout. So if you have a long session default normally you would need to fail several checks to get logged out.

Note also if the browser window is closed (even if the browser application is not closed) you will get logged out right away. Maybe there is an issue when people use multiple windows (as in instead of tabs) and close one, i will need to double check this.

We welcome your tests and feedback to fine tune the behavior.

The bottom line is if we do not try to aggressively flush the passphrase from the memory one part of our audience (security researchers, bounty hunters, etc.) will complain that the software is not secure. If we agressively flush the passphrase, we have people who complain that the software is not behaving as expected. One approach would be to put more of these options in the settings but, this put pressure on the developers to maintain, test and support multiple behaviors.

The real behavior is along the line of: “remember until I log out, or my session timeout, or I close the window, or my browser is idle mode and a check of session happens”, but that’s a bit much to place as a label :wink:

Gotcha, I think the main issue is the communication, though. You should communicate to the user what "remembering"means. Or change the wording. Because right now it feels like the extension is just buggy. Maybe “remember for some time” or something a bit more unspecific. and explain the behavior in the documentation?

Yeah I agree this should be clarified. I’ll try to tackle this when we redesign the login this summer.

1 Like