Bug #2015

redmine/gerrit authentication expires too often/frequently

Added by laforge almost 4 years ago. Updated 4 months ago.

Target version:
Start date:
Due date:
% Done:


Spec Reference:


From an e-mail by Sylvain:

I'm not sure if it's just me or if I'm using it wrong but I'm always
annoyed when I have to login to gerrit ...

1) I shouldn't be logged out at all ... it's not a high security stuff
that session should be kept open for a long time, like > 1 week
without issues ...
2) I have to retype the openid login url. I mean there is a login with
Yahoo and login with Launchpad Id dedicated link, isn't there a way to
add, "login with your osmocom redmine account" link ?
3) Then I'm redirected to redmine, where I have to login as well,
because again for some reason I've been logged out. Same comment as
above, unless I explicitely log out, that session should last for ever
pretty much ...
4) When I then login to redmine, I get redirected to the OpenID end
point but at this point the "open id state" or whatever has been lost
and so I need to go back to gerrit and re-do the whole login process
so it can do it in one go without being interrupted by the redmine
login process and finally log me into gerrit ...

I can assure you I gave up on the whole process more than one time ....



Let's track in this ticket only the question why the authentication expires that frequently.


#1 Updated by zecke almost 4 years ago

Yes, unfortunately I have seen all of these. Will look at it during OsmoDevCon.

  • Gerrit should cache the log-in for months. I suspect the OpenID "token" holds an expiry as well. Need to learn/investigate it
  • Button. Yes, but then we permanently need to rebase/patch it. But true
  • I need to figure out if redmine can keep the info after the redirect..

#2 Updated by neels almost 4 years ago

In the redmine admin, I see an "Autologin: disabled" item that can be set to 1, 7, 30 or 365 days. I set it to 30 days to see whether it helps.

Also there's a "Session maximum lifetime" set do disabled, assuming that that means there is no expiration.

#3 Updated by zecke almost 4 years ago

  • Status changed from New to In Progress
  • I don't see an expiration handling in the OpenID gerrit code => not sure what to do. But "rememberme" seems to have an effect
  • I have added an "Osmocom Login button" to the page.

Going to continue to look at how to improve it.

#4 Updated by laforge almost 3 years ago

  • Status changed from In Progress to Stalled

#5 Updated by laforge 4 months ago

  • Status changed from Stalled to Feedback
  • Assignee changed from zecke to tnt
  • Priority changed from Normal to Low

is this still an issue? tbh I don't really remember any frequent expiration of authentication in recent months (years?).

#6 Updated by tnt 4 months ago

Much less an "issue" because :
(1) redmine seems to keep me logged in
(2) the "login with osmocom" made it way more seemless.

But for gerrit I'm pretty much always logged out everytime I go to it.

The only cookie it has seems to be a "Session" one and shouldn't expire. Not sure if it has some kind of time limit baked-in ...
(But then I've also just looked now so that might have changed with the upgrade.)

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)