Admin session expiry and logout

There has been some development and discussion around the login remember me and sessions. I didn’t follow it all I confess, but what I have noticed is that the Administration item on the menu disappears after time.

I assume this is because the session has expired. However, the message on the top right still says ‘Logout’. I also note that the ‘My Account’ menu item is still available and usable. Overall, it is not consistent.

It seems to me that what the session expiring means, needs to be made consistent.

  • What state should the system be in when the session expires?
  • Should the ‘public’ dashboards / apps be available even when logged out?
  • Should it be possible to default to a specified dashboard as the main screen when the session expires or when deliberately logging out?

Personally, for a home system, I am quite happy for the session to never expire, logging in and out is a pest (even with saved credentials). Could this be added as an option?

2 Likes

This catches me out regularly, the big red banner is also ugly in my opinion. It should be more graceful and return to the login page as it does when the user session timesout.

The intention here is that administration is only available on a non ‘remember me’ session. Once the regular session timesout the admin option disappears and requires a second login to re-activate. It adds a layer of security in that only standard sessions can access administration.

  • It would be good if this was configurable so the user has a choice in this.
  • The banner should change making it clear the state of the session.

My 2p worth
I run emoncms this locally. I would like the option for my admin session to never expire - its a pain to have to log in every time I want to use the system.

1 Like

7 posts were split to a new topic: How to avoid dashboard “logging out”

I would like the admin expiry to be removed or be made optional.

There is a much more important but much less obvious security hole, which is the SSH (user:pi) default password.

If security is the focus, there should be a popup when entering the admin page:

" HEY. YOU HAVEN’T CHANGED THE SSH PASSWORD YET. "

with of course… a guide to changing it or a tool within the admin page (which does require the password again).

Trystan …
I second the sentiments expressed in this thread - would be great to have an option that sessions did not automatically log out.

It’s a real pain having set up a GRAPH session (dates, times, intervals, etc) to have it all wiped out when the session automatically expires. You press RELOAD and nothing happens and on scrolling up find all the red messages. Then you have to set up the GRAPH session all over again.
Thx

1 Like

I. Was. Right.
So right.
Omph, yeah…