The lesspass Chrome add-on is quite handy because it automatically detects what site I'm on and suggests the domain and username field according - if the user is logged in to lesspass.
Unfortunately I get automatically logged out of lesspass from time to time. So I have to enter my lesspass username and password (to login to lesspass) and my master password for the website just to get my password. This is quite annoying and absolutely not necessary from a security perspective (domain and username are not that sensitive).
Is the auto-logout a normal behavior?
I do use the lesspass add-on with the same account on different PCs. Could this have anything to do with that?
Normally I configure the JWT token to be valid during one week.
Maybe the deployment breaks the token validity.
Let me check this
Thanks for the feedback
Thanks for your quick response!
Since the add-on is usually installed on a personal device and the lesspass account contains no passwords, I wonder whether the token could be valid for even longer than a week. I'm thinking of a period of up to 6 month - comparable with this of a google or facebook login.
Another option would be a 'keep me logged in' checkbox.
I think this sounds like a small feature but this could have an great impact on usability and simplicity of the workflow.
@tim-peters if you open the app at minimum once a week, the token is refreshed and you're good for another week -> https://github.com/lesspass/pure/blob/master/src/store/actions.js#L10-L17
After some investigation, backend invalidate token after a server reboot
I will try to fix this
For me this is still one of the greatest usability hiccups. I do use the lesspass add-on on multiple devices. Because of that there can be several days (up to weeks) between each usage on one device. Since the token has a lifespan of just one week I almost ever have to login to my lesspass account first before I can start to type my master password to generate the password for a specific site. This feels like I have to login twice.
Could you at least increase the lifespan of the token to 4 weeks? Even better would be to have a checkbox to make it permanent (like the 'keep me logged in' checkbox on most sites).
I think this would go without a major drawback in security since I still have to type in my master password every time I want to generate a specific password.
Hello @tim-peters,
I need to think more about the problem. Maybe a keep me logged in
option, or increase the life of the token to 1 month. Data saved are not critical. I don't know what solution is best.
The annoying thing is when you have to authenticate on one of your trusted device such as your smartphone/laptop.
Should we increase the lifetime of the session or find a way to ease authentication on such devices?
I think that our identity is intrinsic to ourselves and find it pretty awkward the need to prove that I'm still myself every time I want to log-in into a service.
I agree with @edouard-lopez and @tim-peters on this one, I think that increasing the token to a month is nice, but why not a year though ?
Another solution may be to keep a "local" storage for datas, this way you don't have to fetch the old data from the server but I think it's not as great.
@guillaumevincent I don't know if you try to keep the tokens after a server reboot, but if you do, a one-month token + keep sessions seems nice
Sometimes, and I mean most of the times, Lesspass logs me out of my master password within 5-15 minutes of logged in time. I am not sure if it is problem with the browser or the lesspass add-on. I have clear local storage and cookies on exit set in my browser. Does this affect lesspass? Also, what is the default behavior? Does lesspass maintain session on browser re-load (within 7 days as mentioned above?)
@nodejs-practice login information are saved in local storage, so yes when you clear local storage, you logout automatically in the same time
+1. I use lesspass extension in many different browser+os+device combinations, and it's really annoying having to login again and again.
Since this issue remained open for more than a year now, maybe a quick recap of the results of our discussion:
I would really suggest to high prioritize this issue (imho it's a huge show stopper for non-regular or new users)
Hello @tim-peters,
yes definitively I should look at this issue.
I'm a little busy this summer (I'm the father of an adorable little girl)
I will try to find some time soon
sorry for this
I encounter the bug today
It's related to docker and .env file.
Everytime docker is restarted the secret key of the backend is regenerated;
I will fix this as soon as possible
Love lesspass using it everyday but indeed this issue is very annoying I guess as the android and chrome clients rely on the same backend, I encountered the same problem with both clients.
Ah yes I can investigate in this direction. So basically authenticating yourself in the Android app, force you to authenticate again on the web extension?
@guillaumevincent The issue is more about having random logouts.
Although I tried the issue you described, I was logged in in the chrome extension and logout in the android app, then signed in the android app but I remained connected in the chrome extension, so it does look like we have this issue.
Thanks a lot for investigating on that.
@guillaumevincent telling user they need to log-back-in might reduce frustration as one will start filling the form right away then realize they are offline and need to start again.
For instance, a banner at the top to suggest to log-in?
Hum, I would like to have the token working properly even after a restart of the containers. I will update the python modules in the containers to see if there is some improvment
It will be fixed by https://github.com/lesspass/lesspass/commit/7750813ebe5a77c36dd7eb1dd63647b672f3dce3
Thank you
Unfortunately this appears not be fixed yet (on the opposite my subjective impression is that it got even worse).
I still have to re-authenticate again almost every second time I use one of the browser addons.
This is frustrating since (from a UX perspective) it feels as inconvenient as not having a password manager at all (the only difference is that I don't have to type in the individual password each time but the password to my authenticate to lesspass plus my master password to generate the individual password).
The credentials that are stored on the lesspass server are worthless without my master password. Therfore I would argue that they are not really sensitive data (in terms of security not privacy). Accordingly usability should be the main focus here. Best case would be, that I have to authentice only once and after that always only need my master password to generate all the individual passwords.
Please, make the addons stop asking me to re-authenticate to lesspass all the time. This is really annoying :)
@tim-peters can you give me :
I'm on Firefox 79.0 with LessPass Web Extension 9.2.0
When I reopen the web extension after being authenticated, I don't have to authenticate again.
Today the actual behaviour is the following:
If you use LessPass at least once a week, you will be authenticated forever: see https://github.com/lesspass/lesspass/blob/master/containers/backend/lesspass/settings.py#L132-L134
@guillaumevincent After authenticating yesterday the login was still persistent this morning. But today during the day I had to re-authenticate several time on all devices / add ons.
I wish it would be as you describe as 'actual behaviour'.
I use:
This is really strange, do you have a web extension that clean your local storage ?
Not that I know of. And this would only explain my web browser's extension not the android app, right?
@guillaumevincent
Even after extensive testing with different browsers and devices, I can safely say that I still get randomly logged out of Lesspass after less than a week. I then have to enter my credentials again even, just to access non-critical data like sites and usernames. That just doesn't make any sense and is really annoying.
And again: Even one week would be way to short. The standard for such non-critical logins (before automatically being logged out) ist between 3 Month and 2 Years (take Facebook or Google as an example).
Or please think of a usecase where people use different devices. It is absolutely normal to not use a specific personal device less than once a week.
Please consider setting the auto logout time significantly higher. It would improve the overall UX a lot!
+1. This is the only reason I'm actually considering moving to another application from time to time. Having to authenticate every single time just to get non-critical information is really frustrating.
sharing the same frustration, make the use of the app unpractical.
@Laski @canercandan I would be happy to fix the issue, but I can't reproduce it
If I understand you correctly, you have disconnections from time to time, right?
The workflow is:
@guillaumevincent it's more like several days than 15 minutes.
If it can help : when you click the extension:
Can it be 7 days ?
https://github.com/lesspass/lesspass/blob/master/containers/backend/lesspass/settings.py#L146
about 500ms later, the layout does change and shows that we are now logged out (like if a refresh token fails or something like that)
Oh I think I have an idea.
Before we mount the component we try to get password profiles.
beforeMount() {
this.$store.dispatch("getPasswords");
},
If the API returns an error, because refresh token is not valid (7 days after) then we logout:
https://github.com/lesspass/lesspass/blob/master/packages/lesspass-pure/src/store/actions.js#L52
This is why you see this little glitch authenticated, not authenticated but it continues to works, because we refreshed the token.
https://github.com/lesspass/lesspass/blob/master/packages/lesspass-pure/src/api/http.js#L18-L52
I'm going to fix this as soon as possible.
I apologize for this bad code.
thank you @jdeniau
@guillaumevincent It might be seven days, but I'm not sure, I would say "several days" yes though.
Nice if my comment did help ! You are doing a wonderful job, no need to apologize 👍
I pushed a new version on Chrome store and Firefox AMO
Thanks for the quick fix! Keep up the good work
Thank you so much @guillaumevincent! you're doing an amazing job!
:heart: I just hope this time I fixed it correctly
Most helpful comment
Hello @tim-peters,
yes definitively I should look at this issue.
I'm a little busy this summer (I'm the father of an adorable little girl)
I will try to find some time soon
sorry for this