Discovery around session cookie timeout

[robrap]

During discovery around the setting SESSION_INACTIVITY_TIMEOUT_IN_SECONDS, we noticed that our current configuration around SESSION_COOKIE_AGE isn't working as we thought, and this ticket is to learn more about our current settings.

Additional notes:

• It may be that SSO to edX Stage using OneLogin updates our login cookies, so testing in Stage, Prod, etc. may require test accounts that don't use SSO.
  • When @jristau1984 did testing in Stage (or possibly Prod), he used a test (non-SSO) account, waited over 2 weeks (current configuration for SESSION_COOKIE_AGE), saw the cookies expire and disappear in the browser, and returning to an MFE tab was able to see the session restored.
    • This finding was quite mysterious.
    • Can others duplicate this? Possibly in other environments like devstack. If so, what can revive the session and session cookie after the session cookie has disappeared?
• MFEs use the JWT cookie (currently lasting an hour). When the JWT cookie has expired, but the session cookie is still active, an MFE can create a new JWT cookie (via login_refresh).
  • Does the session cookie expiration get updated at the same time? This probably extends the session life.
  • Does this work as a sort of session extension with MFE session activity?
• It may make sense to first test in devstack with MFEs and shorter timeouts.
  • If SESSION_COOKIE_AGE is tuned to less than an hour, you would also have to tune the JWT cookie settings as well. See Test out the impact of a shorter inactivity timeout value on edx STAGE env #909 (comment) for details.
• We decided that additional experimentation with the separate setting SESSION_INACTIVITY_TIMEOUT_IN_SECONDS doesn't make sense until we understand how the current setting of SESSION_COOKIE_AGE works (or doesn't work). Once we have more information, it could make sense to further research SESSION_INACTIVITY_TIMEOUT_IN_SECONDS in devstack as a follow-up ticket.
  • See original discovery ticket: Test out the impact of a shorter inactivity timeout value on edx STAGE env #909

[robrap]

A newer ticket has since been created:

• Update session timeout to be 24 hours with activity extension #1035
  This ticket should be reviewed to see if there is any relevant information that should be moved, and then this ticket should be closed.

[robrap]

Closing this ticket in favor of the newer ticket, especially since this was written based on earlier tests that had false negatives when first run. We have learned new things when re-testing.