Description of problem: The session time is very short on translate.zanata.org. A 'remember me' could help a lot to imporve the user experience. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Zanata should at least be remembering your username; let us know if this is not working. Unfortunately it would be a security risk (XSS) to authenticate based on a persistent cookie (ie a full "remember me" function). Ref: http://docs.jboss.com/seam/2.3.0.Final/reference/en-US/html/security.html#d0e8787 If you are using a Fedora login, login can be a bit slow, because FAS always asks whether you're sure you want to login to Zanata. As a workaround, I recommend setting a password for your Zanata account to allow faster logins: https://translate.zanata.org/zanata/profile/view Then when you log in, you can choose the Zanata logo on the right (instead of the Fedora login) and allow your browser to save the password. Zanata's built-in authentication should always be the fastest way to log in to Zanata. Alternatively, you can add another identity (eg Google) to your account here: https://translate.zanata.org/zanata/profile/identities The login process will be slightly slower than a Zanata login, but it should still be faster than Fedora, and will save you from having to create another password.
Are we rejecting this?
According to Issac, this feature is a nice-to-have, thus the priority and severity is low.
*** Bug 961588 has been marked as a duplicate of this bug. ***
This should be more than a nice to have. We should remember logins for at least 24hours by default (kinit does) and then remember me should be an option that is turned on on the public instance. Remember me should last at least a month. Plus the errors that are displayed when you are in the middle of something and then it log you out are useless if present at all.
RE: Errors - https://bugzilla.redhat.com/show_bug.cgi?id=1059035
We could look at increasing the session timeout to 24 hours. https://www.owasp.org/index.php/Session_Timeout http://www.jtmelton.com/2012/04/17/year-of-security-for-java-week-16-set-a-soft-session-timeout/ Note that increasing the session timeout may cause Zanata to use quite a bit more memory, so we would need to watch that, and/or be ready to roll it back or reduce it to a few hours. The Seam manual still makes an excellent case against persistent cookie authentication, however popular it is: http://docs.jboss.com/seam/2.3.0.Final/reference/en-US/html/security.html#d0e8787 And as it says, browser-based "Remember Password" features are much safer than persistent cookie logins. In terms of implementation, Seam's Remember Me functionality would require setting up a persistent token store. It's not clear how you would set it up to expire tokens after a month, so there might be a bit more work there. For this bug, why don't we try increasing the session timeout only, and see how that goes?
Here is a good reference: http://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website
Reassigned to PM
Migrated; check JIRA for bug status: http://zanata.atlassian.net/browse/ZNTA-539