Lesspass: Chrome add-on does randomly logout

Normally I configure the JWT token to be valid during one week.
Maybe the deployment breaks the token validity.
Let me check this

Thanks for the feedback

Thanks for your quick response!

Since the add-on is usually installed on a personal device and the lesspass account contains no passwords, I wonder whether the token could be valid for even longer than a week. I'm thinking of a period of up to 6 month - comparable with this of a google or facebook login.

Another option would be a 'keep me logged in' checkbox.

I think this sounds like a small feature but this could have an great impact on usability and simplicity of the workflow.

@tim-peters if you open the app at minimum once a week, the token is refreshed and you're good for another week -> https://github.com/lesspass/pure/blob/master/src/store/actions.js#L10-L17

After some investigation, backend invalidate token after a server reboot
I will try to fix this

For me this is still one of the greatest usability hiccups. I do use the lesspass add-on on multiple devices. Because of that there can be several days (up to weeks) between each usage on one device. Since the token has a lifespan of just one week I almost ever have to login to my lesspass account first before I can start to type my master password to generate the password for a specific site. This feels like I have to login twice.

Could you at least increase the lifespan of the token to 4 weeks? Even better would be to have a checkbox to make it permanent (like the 'keep me logged in' checkbox on most sites).
I think this would go without a major drawback in security since I still have to type in my master password every time I want to generate a specific password.

Hello @tim-peters,
I need to think more about the problem. Maybe a keep me logged in option, or increase the life of the token to 1 month. Data saved are not critical. I don't know what solution is best.

The annoying thing is when you have to authenticate on one of your trusted device such as your smartphone/laptop.

Should we increase the lifetime of the session or find a way to ease authentication on such devices?

I think that our identity is intrinsic to ourselves and find it pretty awkward the need to prove that I'm still myself every time I want to log-in into a service.

I agree with @edouard-lopez and @tim-peters on this one, I think that increasing the token to a month is nice, but why not a year though ?

Another solution may be to keep a "local" storage for datas, this way you don't have to fetch the old data from the server but I think it's not as great.

@guillaumevincent I don't know if you try to keep the tokens after a server reboot, but if you do, a one-month token + keep sessions seems nice

Sometimes, and I mean most of the times, Lesspass logs me out of my master password within 5-15 minutes of logged in time. I am not sure if it is problem with the browser or the lesspass add-on. I have clear local storage and cookies on exit set in my browser. Does this affect lesspass? Also, what is the default behavior? Does lesspass maintain session on browser re-load (within 7 days as mentioned above?)

@nodejs-practice login information are saved in local storage, so yes when you clear local storage, you logout automatically in the same time

+1. I use lesspass extension in many different browser+os+device combinations, and it's really annoying having to login again and again.

Since this issue remained open for more than a year now, maybe a quick recap of the results of our discussion:

• Having to authenticate over and over again just to access non-critical data is not just super annoying but a crucial usability issue
• Feasible solutions would be: Dramatically increasing the lifetime of the login token (> several month) or even providing a 'keep me logged in' option
• A possible short-term solution would be to provide a solution to store the data saved offline

I would really suggest to high prioritize this issue (imho it's a huge show stopper for non-regular or new users)

Hello @tim-peters,
yes definitively I should look at this issue.
I'm a little busy this summer (I'm the father of an adorable little girl)
I will try to find some time soon

sorry for this

I encounter the bug today
It's related to docker and .env file.
Everytime docker is restarted the secret key of the backend is regenerated;

I will fix this as soon as possible

Love lesspass using it everyday but indeed this issue is very annoying I guess as the android and chrome clients rely on the same backend, I encountered the same problem with both clients.

Ah yes I can investigate in this direction. So basically authenticating yourself in the Android app, force you to authenticate again on the web extension?

@guillaumevincent The issue is more about having random logouts.

Although I tried the issue you described, I was logged in in the chrome extension and logout in the android app, then signed in the android app but I remained connected in the chrome extension, so it does look like we have this issue.

Thanks a lot for investigating on that.

@guillaumevincent telling user they need to log-back-in might reduce frustration as one will start filling the form right away then realize they are offline and need to start again.
For instance, a banner at the top to suggest to log-in?

Hum, I would like to have the token working properly even after a restart of the containers. I will update the python modules in the containers to see if there is some improvment

It will be fixed by https://github.com/lesspass/lesspass/commit/7750813ebe5a77c36dd7eb1dd63647b672f3dce3
Thank you

Unfortunately this appears not be fixed yet (on the opposite my subjective impression is that it got even worse).

I still have to re-authenticate again almost every second time I use one of the browser addons.
This is frustrating since (from a UX perspective) it feels as inconvenient as not having a password manager at all (the only difference is that I don't have to type in the individual password each time but the password to my authenticate to lesspass plus my master password to generate the individual password).

The credentials that are stored on the lesspass server are worthless without my master password. Therfore I would argue that they are not really sensitive data (in terms of security not privacy). Accordingly usability should be the main focus here. Best case would be, that I have to authentice only once and after that always only need my master password to generate all the individual passwords.

Please, make the addons stop asking me to re-authenticate to lesspass all the time. This is really annoying :)

@tim-peters can you give me :

• browser name and the version of your browser
• version of the browser extension

I'm on Firefox 79.0 with LessPass Web Extension 9.2.0

When I reopen the web extension after being authenticated, I don't have to authenticate again.

Today the actual behaviour is the following:

If you use LessPass at least once a week, you will be authenticated forever: see https://github.com/lesspass/lesspass/blob/master/containers/backend/lesspass/settings.py#L132-L134

@guillaumevincent After authenticating yesterday the login was still persistent this morning. But today during the day I had to re-authenticate several time on all devices / add ons.

I wish it would be as you describe as 'actual behaviour'.

I use:

• LessPass Web Extension 9.2.0 on Firefox 79.0
• LessPass Web Extension 9.2.0 on Chrome 84.0.4147.125
• LessPass Android App 9.1.10 on Android 9 (Xiaomi Mi6)

This is really strange, do you have a web extension that clean your local storage ?

Not that I know of. And this would only explain my web browser's extension not the android app, right?

@guillaumevincent

Even after extensive testing with different browsers and devices, I can safely say that I still get randomly logged out of Lesspass after less than a week. I then have to enter my credentials again even, just to access non-critical data like sites and usernames. That just doesn't make any sense and is really annoying.

And again: Even one week would be way to short. The standard for such non-critical logins (before automatically being logged out) ist between 3 Month and 2 Years (take Facebook or Google as an example).
Or please think of a usecase where people use different devices. It is absolutely normal to not use a specific personal device less than once a week.

Please consider setting the auto logout time significantly higher. It would improve the overall UX a lot!

+1. This is the only reason I'm actually considering moving to another application from time to time. Having to authenticate every single time just to get non-critical information is really frustrating.

sharing the same frustration, make the use of the app unpractical.

@Laski @canercandan I would be happy to fix the issue, but I can't reproduce it

If I understand you correctly, you have disconnections from time to time, right?

The workflow is:

• you open the extension on Chrome and log in
• you close the extension
• you reopen the extension right after you are still logged in
• you wait a bit (at least 15 minutes)
• you reopen the extension and you are logged out again

@guillaumevincent it's more like several days than 15 minutes.

If it can help : when you click the extension:

• the website credentials are correctly set, and the layout shows that we are logged in
• about 500ms later, the layout does change and shows that we are now logged out (like if a refresh token fails or something like that)
• the credentials are still present though and we can authenticate one time on the current website

Can it be 7 days ?

https://github.com/lesspass/lesspass/blob/master/containers/backend/lesspass/settings.py#L146

about 500ms later, the layout does change and shows that we are now logged out (like if a refresh token fails or something like that)

Oh I think I have an idea.

Before we mount the component we try to get password profiles.

  beforeMount() {
    this.$store.dispatch("getPasswords");
  },

If the API returns an error, because refresh token is not valid (7 days after) then we logout:

https://github.com/lesspass/lesspass/blob/master/packages/lesspass-pure/src/store/actions.js#L52

This is why you see this little glitch authenticated, not authenticated but it continues to works, because we refreshed the token.

https://github.com/lesspass/lesspass/blob/master/packages/lesspass-pure/src/api/http.js#L18-L52

I'm going to fix this as soon as possible.

I apologize for this bad code.

thank you @jdeniau

@guillaumevincent It might be seven days, but I'm not sure, I would say "several days" yes though.

Nice if my comment did help ! You are doing a wonderful job, no need to apologize 👍

I pushed a new version on Chrome store and Firefox AMO

Thanks for the quick fix! Keep up the good work

Thank you so much @guillaumevincent! you're doing an amazing job!

:heart: I just hope this time I fixed it correctly