Best practices for long-term sessions with 2factor

[Bertg]

Hi,

Our current rodauth setup uses the remember plugin to allow user to have a long-term session on their devise (this is actually a default tin our case) and we also allow users to configure several 2 factor solutions.

Now, some of our users have found that each time they kill their browser (or restart their computer) that they are confronted with a 2 factor confirmation screen again, while they expect to still be signed in.

I understand that in rodauth the current session is maintained in a session cookie and this is thus also the state of where the 2FA flag is kept, and he remember cookie is kept in a time based cookie. This explains the behaviour the users are seeing.

Now, if we would want to implement their request, what would be the best way to go about this?

• Dump the remember plugin and store the session in a long-lived cookie?
• Somehow add the 2FA knowledge to the remember state?
• Something else?

[janko]

See #435 (comment) for one possible solution.

[Bertg]

@janko Yeah, I've seen that. But it does seem a bit like a hack. In that example, if an other session would add 2FA to the account, then the first session would remain signed in via the remember function; while never having been authenticated in the first place. I would consider that a security issue. You could augment that by calling disable_remember_login when 2FA is added to an account, but that's a hack on top of a hack. Also, in our case, we have multiple 2FA abilities, just setting it to totp is a best random, at worst nonsensical.

[Bertg]

Understood, but this would be as secure as storing the 2FA state on the remember cookie, no?

[jeremyevans]

Long lived session cookie and 2FA state in long lived remember cookie should be equivalent in security.

[janko]

I'm wondering if all it takes to store the Rodauth session in a long-lived cookie in Rails is the following:

auth_class_eval do
  def session
    rails_cookies.permanent.signed
  end
end

I haven't tested it, though.

EDIT: Actually, no, that will store a new cookie for each session key. Nevermind then 😅

[Bertg]

@janko Yeah, I need to figure that one out as well. We need to figure this one out as well. Either directly via roda/rodauth or via rodauth rails.

[Bertg]

@janko with rodauth-rails I think it is as simple as adding this to the config:

config.session_store :cookie_store,
  key: "_lol_session",
  secure: true,
  httponly: true,
  expire_after: 14.days

And optionally something like this to the controller:

before_action {
  request.session_options[:expire_after] = 14.days
}

We are running tests with that approach now.