A number of GitLab users have noticed that GitLab requires re-authentication much more often than expected. I can confirm from personal experience and that of the rest of RelEng that this seems to be the case, and we've had at least half a dozen mentions from other users.
Collecting some notes from Slack and IRC discussion:
14:13 <hashar> anyway from their doc at https://docs.gitlab.com/ee/user/profile/index.html#cookies-used-for-sign-in , there should be a `remember_user_token` which is set when one uses "Remember me" 14:13 <hashar> and I don't have it ;) 14:19 <bd808> hashar: I don't have one either, but I wonder if that is due to not using their password auth more than anything else? The login flow we use never has "remember me" field that is hosted by gitlab does it? 14:19 <hashar> yeah I think that is the issue 14:20 <hashar> the auth provider is CAS OmniAuth if I got it right (which is deprecated) 14:20 <hashar> and even if check remember me on our idp.wikimedia.org, the cookie is not set on gitlab 14:20 <hashar> so I guess that provider doesn't set the cookie … 4:22 <hashar> there is some upstream task https://gitlab.com/gitlab-org/gitlab/-/issues/370083 "Remember me cookie not set when bypassing 2fa in omniauth" 14:23 <bd808> I don't think we run with omniauth_allow_bypass_two_factor=true 14:54 <+thcipriani> we talked about it in the team meeting and I confirmed that the headers looked right for setting a cookie that *should* last 7 days (although in practice, mine doesn't seem to for whatever reason: maybe a "my weird setup" problem) 14:56 <+thcipriani> well. I confirmed at least that the "expires" looks right. On Feb 16th I got the header: set-cookie: known_sign_in=XXX; path=/; expires=Thu, 02 Mar 2023 16:21:06 GMT; secure; HttpOnly; SameSite=None
Maybe related upstream: https://gitlab.com/gitlab-org/gitlab/-/issues/370083
Previous context:
- T288757: Increase GitLab session lifetime to something reasonable
- T274461: Define auth strategy for GitLab
See also: