Too much login / captcha
-
Now I’m having to get an email code every 3 days to login in windows. But in the android app, I only have to authorize once, EVER. Please stop the excessive security on computers. I don’t want it.
-
Hi @adamadept! I think I just replied to you on the other thread, but maybe we can ge to the bottom of this. Are you using the standalone Windows app or a web browser? If you can share some details about your setup I might be able to troubleshoot further. The intention is definitely that you should be able to stay logged in indefinitely.
-
Hi, I’m using Brave in Windows 11. I experienced the same issue in Chrome.
While trying to look at the cookies, I noticed you’re taking over the inspect keyboard shortcut, and also inspect is not in the context menu. This is not ideal.
I just logged in (9/12), and I have an ‘auth’ cookie that expires 2024-09-26T16:05:15.157Z
and ‘token’ expires 2024-09-25T18:28:57.540Z
So it looks like cookies are being set 2 weeks out.
There are also some tk_* cookies
local storage has a stored_user.accessToken, that expiration must be handled server side.
I’m not sure why there seem to be 3 auth-related values, you should only need 1. -
Thanks for that info! So you see the cookies being set two weeks out, but are still prompted to log in again before the two weeks are up? And Brave is definitely not set to delete those cookies when you close the browser, correct? I know it’s a privacy-centric browser so I’m wondering if there’s a default somewhere that’s interfering with saving those cookies. (As for why there are three, we’ll go with backwards-compatibility, AKA “historical reasons”, which is to say that much of the authentication code was written over a decade ago, which is, in software terms, a time when dinosaurs still roamed the earth.)
By the way, if you need to add sites to an allow list, you might also need to add simperium.com (our backend server). I don’t believe it is directly setting any cookies, but mentioning it for the sake of completeness, as sometimes it is blocked by plugins or firewalls.
Inspect not being in the context menu is a limitation of the embedded text editor, which adds a custom right-click menu, but if you right-click outside of the text editing area, it should still be there. Which shortcut are you using for Brave, and what does it do instead? Looking at this page, Ctrl+Shift+J to view Developer Tools? We aren’t purposefully overriding it, but there may be a collision between the text editor and browser shortcuts. Keyboard shortcut real estate is sadly in short supply :/
Oh, one last thought – when you logged in, I assume you checked “Remember me”? Did you log in using your password or via a link in your email? And is there any difference in the cookies that get set if you try it the other way?
-
The cookies are 2 weeks out, which is also too short. But yes I get prompted to login after a few days. I don’t even close my browser for weeks at a time.
There is no “remember me” option.
I have to enter my username and password, then do the email thing. -
I have to enter my username and password, then do the email thing.
The purpose of the magic link login is to provide a passwordless experience. Can you try logging out and then, this time, click the button that says “Log in with email”?
Let us know if this helps!
-
Yes I did it with the email link. That’s not the point – the point is I just watched it create an auth cookie 2 weeks out. You are requiring re-auth every 2 weeks.
-
Currently, the web app has a two-week authentication window, which is the standard. This means that you might be prompted to re-authenticate every two weeks to ensure the security of your account.
However, if you switch to using the desktop app, you’ll likely find that you remain signed in for a longer duration, as desktop apps often handle authentication differently.
-
Wow, are you aware this answer is counter to everything you’ve been telling us previously?
I’ve been a web developer for 30 years. There is no “standard”, but 2 weeks is common only for high security sites, it’s excessive for a note app. Simplenote is actually harder to log into than my bank. 90 days is more common for user convenience. Please for the love of god extend your cookie to 6 months. I don’t want it in an app, I want it in a browser tab. -
-
Simplenote Support Forums 