Login Expiry

Skip to first unread message

Jay Kyburz

Oct 9, 2013, 4:22:39 PM10/9/13
to gae-sim...@googlegroups.com
Hello Alex and folks,

Yesterday I went live with my Simple Auth implementation. I was using standard Federated Identities until now.  

I've had some feedback that some users have been asked to log in multiple times throughout the day. All using Google OpenID's

In my application settings I have cookie expiration set to two weeks. Will this setting still be honored by SimpleAuth by default?

What would cause some users to have to log in repeatedly?



Oct 9, 2013, 4:48:37 PM10/9/13
to Jay Kyburz, gae-sim...@googlegroups.com
Hi Jay!

> In my application settings I have cookie expiration set to two weeks. Will
> this setting still be honored by SimpleAuth by default?

Definitely yes. SimpleAuth doesn't manage cookies, it relies on
whatever implementation you have in the app (usually it would be
webapp2's sessions module).

In addition, OpenID authentication is completely outsourced to
Google's infrastructure, so simpleauth does almost nothing when
authenticating against an OpenID provider thanks to App Engine.

> What would cause some users to have to log in repeatedly?

Really hard to say w/o seeing the code.
As stupid as it might sound, could it be that your app was sending
users to different domains (or even just protocols, http vs https)?
> --
> You received this message because you are subscribed to the Google Groups
> "SimpleAuth for GAE" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to gae-simpleaut...@googlegroups.com.
> Visit this group at http://groups.google.com/group/gae-simpleauth.
> For more options, visit https://groups.google.com/groups/opt_out.

Jay Kyburz

Oct 10, 2013, 2:25:02 AM10/10/13
to gae-sim...@googlegroups.com, Jay Kyburz
I wish it was that simple but no, same domain and protocol.

From what I can tell, by default cookies only last until the client is closed.

I will try setting a session_max_age somewhere and see if that does the trick.


Oct 10, 2013, 4:16:28 AM10/10/13
to Jay Kyburz, gae-sim...@googlegroups.com
Right, that could definitely be another reason. Let me know if it
solves the problem!

Jay Kyburz

Dec 8, 2013, 10:00:38 PM12/8/13
to gae-sim...@googlegroups.com, Jay Kyburz
Hey Alex,

I never was able to change the duration of the auth cookie.

If you remember right now its set to "session" by default, and this means that every time a user closes the browser they need to log in again.

This is not a problem most of the time, but my iPad uses find it very annoying because they get logged out every time they open up an app that is not the browser.

I would love some help working out how to set the session_max_age. Everything I tried failed.



Dec 10, 2013, 3:34:56 AM12/10/13
to Jay Kyburz, gae-sim...@googlegroups.com
Right, so this is how it always worked out for me:

config = {
  'webapp2_extras.sessions': {
    'cookie_args': { 'max_age': 86400 }

app = webapp2.WSGIApplication(routes=[...], config=config)

There are other useful cookie_args keys described here:

Hope this helps!


Dec 11, 2013, 1:51:12 AM12/11/13
to Jay Kyburz, gae-sim...@googlegroups.com
Ah sorry. Yeah, there's another piece of config that should go into
'webapp2_extras.auth' if you want to tune auth session parameters.

webapp2 uses two separate sections, one for a generic session and a
separate only for the authentication stuff:


On 11 December 2013 07:27, Jay Kyburz <j...@jaykyburz.com> wrote:
> I have some strange behaviour..
> my config looks like this.
> # webapp2 config
> app_config = {
> 'webapp2_extras.sessions': {
> 'cookie_args': { 'max_age': 604800 },
> 'cookie_name': '_simpleauth_sess',
> 'secret_key': SESSION_KEY
> },
> 'webapp2_extras.auth': {
> 'user_attributes': []
> }
> }
> I looks like when logging in using Google / Yahoo (ie the built in Federated
> Identity) I don't get a cookie called "_simpleauth_sess'. Instead my cookie
> is called "auth". The" auth" cookie ignores the max age setting.
> When I login with Facebook I get both the "_simpleauth_sess" cookie and the
> "auth" cookie.
> Seems like the auth cookie is all that is needed though. Do you fall back to
> auth if the _simplauth_sess cookie is not found?
> I see that when I login using Yahoo on https://simpleauth.appspot.com/ I get
> both cookies so I must have broken something somewhere with my OpenID
> implementation.
> Jay.
Reply all
Reply to author
0 new messages