FEATURE: Add support for not persistent sessions

In some cases Discourse admins may opt for sessions not to persist when a browser is closed. This is particularly useful in healthcare and education settings where computers are shared among multiple workers. By default `persistent_sessions` site setting is enabled, to opt out you must disable the site setting.
2025-06-05 08:07:17 +08:00 · 2020-09-11 15:11:13 +10:00
parent 9e4ed03b8f
commit 44fba9463b
4 changed files with 16 additions and 1 deletions
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -224,10 +224,13 @@ class Auth::DefaultCurrentUserProvider
    hash = {
      value: unhashed_auth_token,
      httponly: true,
-      expires: SiteSetting.maximum_session_age.hours.from_now,
      secure: SiteSetting.force_https
    }

+    if SiteSetting.persistent_sessions
+      hash[:expires] = SiteSetting.maximum_session_age.hours.from_now
+    end
+
    if SiteSetting.same_site_cookies != "Disabled"
      hash[:same_site] = SiteSetting.same_site_cookies
    end