Extending remember deadline on each request

[janko]

In the preparation for my screencast for rebuilding GitHub authentication, I want to replicate how GitHub does remembering. As far as I could tell, GitHub automatically remembers the user on login, and forgets the user probably 2 weeks after they have last been active.

From my understanding, the current remember feature remembers the user remember_period after it has been remembered, and optionally remember_deadline_period after it has last been remembered if extend_remember_deadline? is true. So, if the user has their browser open for 2 weeks, keeping the session cookie alive, once they close the browser they will not be remembered, correct?

If yes, do you have ideas how to implement the behavior that GitHub has? I tried extracting extending remember deadline into a separate method, so that it can be called in the routing tree, I'm not sure if that would be a good approach.

diff --git a/doc/remember.rdoc b/doc/remember.rdoc
index 446b0cb..d7e52db 100644
--- a/doc/remember.rdoc
+++ b/doc/remember.rdoc
@@ -21,6 +21,14 @@ on login:
     remember_login
   end
 
+The user can be logged in from remember token +remember_deadline_period+ after
+remember token has been created, or +remember_period+ after the user has last
+been remembered when +extend_remember_deadline?+ is set to +true+. You can also
+extend the deadline on each request by adding the following code to your
+routing block:
+
+  rodauth.extend_remember_deadline
+
 The remember feature records which sessions were autologged in via the
 remember cookie. If you have sections where you want to add more security,
 you can use the confirm password feature to request password authentication
diff --git a/lib/rodauth/features/remember.rb b/lib/rodauth/features/remember.rb
index 0a5716f..62289bc 100644
--- a/lib/rodauth/features/remember.rb
+++ b/lib/rodauth/features/remember.rb
@@ -131,13 +131,16 @@ module Rodauth
       before_load_memory
       login_session('remember')
 
-      if extend_remember_deadline?
-        active_remember_key_ds(id).update(remember_deadline_column=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, remember_period))
-        remember_login
-      end
+      extend_remember_deadline if extend_remember_deadline?
       after_load_memory
     end
 
+    def extend_remember_deadline
+      return unless id = remembered_session_id
+      active_remember_key_ds(id).update(remember_deadline_column=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, remember_period))
+      remember_login
+    end
+
     def remember_login
       get_remember_key
       opts = Hash[remember_cookie_options]

[jeremyevans]

I'm OK with the general idea of making it easier to automatically extend the remember deadline for logged in sessions. I don't want it to happen on every request because then it is an extra query on every request. Maybe it would be better to only extend the remember deadline if it hasn't been extended in the last hour (by default, time frame configurable)? We could do that by storing a session value for the last time the remember deadline was updated in the current session. Not sure if we want to build that functionality into the remember feature, or add it as a separate feature. What are your thoughts?

[janko]

I like the idea of updating the deadline after a configurable time frame, sounds much more reasonable than on every request. It would make sense to me to keep the functionality inside the remember feature, because this behavior is actually what I would expect by default (remember me for N days since my last activity). In that case, could this be done automatically by load_memory when extend_remember_deadline? is set to true, or should it be a separate method or boolean option?

[jeremyevans]

If it is part of the remember feature, it should probably be done by load_memory if extend_remember_deadline? is true. We'll still need to add configuration methods for the session key and for the time frame to wait before extending the deadline (by default, 3600 seconds).