15 KiB
Remember Me Feature Removal - Implementation Summary
Date: 2026-01-12 Task: Remove Remember Me feature and implement profile_timeouts priority Status: ✅ COMPLETE
Overview
Successfully removed the Remember Me functionality from the application and implemented profile-based session timeouts that override the SESSION_LIFETIME environment variable. This provides better security with granular control over session expiration for different profile types.
Changes Made
1. Removed Remember Me Checkbox from Login Views ✅
Files Modified:
/resources/views/auth/login.blade.php (lines 87-94)
Before:
<div class="block mt-4">
<label for="remember_me" class="flex items-center">
<x-jetstream.checkbox id="remember_me" name="remember" />
<span class="ml-2 text-sm text-theme-primary">
{{ __('Remember me for :period', ['period' => daysToHumanReadable(timebank_config('auth.remember_me_days', 90))]) }}
</span>
</label>
</div>
<div class="flex items-center justify-end mt-4 mb-8">
After:
<div class="flex items-center justify-end mt-8 mb-8">
/resources/views/livewire/login.blade.php (line 42)
Before:
<form class="mt-8" wire:submit="login">
<input type="hidden" name="remember" value="true">
<div class="rounded-md shadow-sm">
After:
<form class="mt-8" wire:submit="login">
<div class="rounded-md shadow-sm">
/resources/views/livewire/registration.blade.php (line 83)
Before:
<form wire:submit="create">
<input name="remember" type="hidden" value="true">
@csrf
After:
<form wire:submit="create">
@csrf
2. Removed remember_me_days from All Config Files ✅
Files Modified:
config/timebank_cc.php- Removed'remember_me_days' => 90,from auth sectionconfig/timebank_cc.php.example- Removed from auth sectionconfig/timebank-default.php- Removed from auth sectionconfig/timebank-default.php.example- Removed from auth section
Before:
'auth' => [
'remember_me_days' => 90, // Number of days the "Remember me" checkbox will keep users logged in
'minimum_registration_age' => 18,
],
After:
'auth' => [
'minimum_registration_age' => 18, // Minimum age for registration (GDPR Article 8 compliance)
],
3. Created ProfileSessionTimeout Middleware ✅
New File: app/Http/Middleware/ProfileSessionTimeout.php
Purpose: Enforces profile-specific session timeouts that override SESSION_LIFETIME from .env
Key Features:
- Tracks last activity timestamp in session
- Calculates idle time and compares against profile-specific timeout
- Automatically logs out users when timeout is exceeded
- Uses profile_timeouts from platform config
- Falls back to profile_timeout_default if profile type not configured
- Logs timeout events for debugging
Implementation Highlights:
// Get profile-specific timeout
$timeoutMinutes = $this->getProfileTimeout($activeProfileType);
// Calculate idle time
$idleMinutes = (now()->timestamp - $lastActivity) / 60;
// Check timeout and logout if exceeded
if ($idleMinutes > $timeoutMinutes) {
Auth::logout();
$request->session()->invalidate();
return redirect()->route('login')
->with('status', __('Your session has expired due to inactivity.'));
}
4. Registered Middleware in Kernel ✅
File: app/Http/Kernel.php
Change: Added ProfileSessionTimeout middleware to web middleware group
Position: After StartSession but before other auth-related middleware
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\App\Http\Middleware\ProfileSessionTimeout::class, // ← NEW
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
// ...
],
5. Updated Session Configuration ✅
File: config/session.php
Changes:
- Updated SESSION_LIFETIME default from 480 to 120 minutes
- Added comment explaining profile_timeouts override this value
Before:
'lifetime' => env('SESSION_LIFETIME', 480),
After:
/*
| NOTE: This is overridden by profile_timeouts in platform config.
| See config/timebank_cc.php -> 'profile_timeouts' for actual timeouts.
| This value serves as a fallback only.
*/
'lifetime' => env('SESSION_LIFETIME', 120),
6. Updated Platform Config Documentation ✅
Files:
config/timebank_cc.phpconfig/timebank_cc.php.exampleconfig/timebank-default.phpconfig/timebank-default.php.example
Section Renamed: "Profile Inactivity" → "Profile Session Timeouts"
Enhanced Documentation:
/*
|--------------------------------------------------------------------------
| Profile Session Timeouts
|--------------------------------------------------------------------------
|
| Define the inactivity timeout in minutes for each profile type.
| After the specified timeout, the user's session will expire and they
| will be logged out automatically. This provides security by ensuring
| inactive sessions are terminated.
|
| IMPORTANT: These timeouts OVERRIDE the SESSION_LIFETIME setting from .env
| They are enforced by ProfileSessionTimeout middleware.
|
| Security Best Practices:
| - User profiles: Short timeout (10-30 min) for regular accounts
| - Organizations: Medium timeout (30-60 min) for community profiles
| - Banks: Short timeout (15-30 min) for financial operations
| - Admins: Very short timeout (15-30 min) for privileged access
|
*/
'profile_timeouts' => [
App\Models\User::class => 10, // minutes
App\Models\Organization::class => 60,
App\Models\Bank::class => 30,
App\Models\Admin::class => 360, // TODO: change to 30 for production
],
'profile_timeout_default' => 120, // minutes. Fallback default
Current Session Timeout Configuration
Profile-Specific Timeouts (config/timebank_cc.php)
| Profile Type | Timeout | Duration | Security Level |
|---|---|---|---|
| User | 10 min | 10 minutes | High (short for regular users) |
| Organization | 60 min | 1 hour | Medium (longer for community work) |
| Bank | 30 min | 30 minutes | High (financial operations) |
| Admin | 360 min | 6 hours | LOW ⚠️ (TODO: reduce to 30 min) |
| Default | 120 min | 2 hours | Fallback |
Environment Configuration
File: .env
SESSION_LIFETIME=120
Note: This value is now overridden by profile_timeouts. It serves only as a fallback for the ProfileSessionTimeout middleware.
Security Improvements
Before (With Remember Me)
❌ Problems:
- Sessions lasted 90 days with Remember Me checkbox
- Users could remain logged in for months
- Increased risk on shared computers
- Privacy policy didn't disclose long sessions
- Single timeout for all profile types
After (Profile-Based Timeouts)
✅ Improvements:
- No long-term authentication tokens
- Profile-specific timeouts (10-360 minutes)
- Automatic logout after inactivity
- Clear session expiration messages
- Better security for financial transactions
- Granular control per profile type
Testing Required
Test 1: User Session Timeout (10 minutes)
# 1. Log in as regular user (e.g., user 161)
# 2. Wait 10 minutes without activity
# 3. Try to navigate to any page
# Expected: Automatic logout with "session expired" message
Test 2: Organization Session Timeout (60 minutes)
# 1. Log in as user, switch to organization profile
# 2. Wait 60 minutes without activity
# 3. Try to navigate to any page
# Expected: Automatic logout after 60 minutes
Test 3: Profile Switch Timeout Behavior
# 1. Log in as user (10 min timeout)
# 2. Wait 5 minutes
# 3. Switch to organization (60 min timeout)
# 4. Wait 10 more minutes (15 total since login)
# Expected: Still logged in (organization has 60 min timeout)
Test 4: Activity Keeps Session Alive
# 1. Log in as user (10 min timeout)
# 2. Every 5 minutes, navigate to a page
# 3. Continue for 30 minutes
# Expected: Session remains active because of continuous activity
Test 5: Logout Clears Last Activity
# 1. Log in as user
# 2. Navigate around (establishes last_activity_at)
# 3. Log out
# 4. Log in again immediately
# Expected: New session starts, last_activity_at reset
Database Impact
Sessions Table
No schema changes required. The middleware stores last_activity_at in the session data:
session(['last_activity_at' => now()->timestamp]);
Remember Tokens
The remember_token column in the users table will no longer be used by authentication, but doesn't need to be removed (Laravel may use it for other purposes).
Files Summary
Created (1 file)
app/Http/Middleware/ProfileSessionTimeout.php- New middleware
Modified (13 files)
Views (3 files):
resources/views/auth/login.blade.php- Removed Remember Me checkboxresources/views/livewire/login.blade.php- Removed hidden remember fieldresources/views/livewire/registration.blade.php- Removed hidden remember field
Config (8 files):
config/timebank_cc.php- Removed remember_me_days, updated documentationconfig/timebank_cc.php.example- Same changesconfig/timebank-default.php- Same changesconfig/timebank-default.php.example- Same changesconfig/session.php- Updated comments and default lifetime
Middleware (1 file):
6. app/Http/Kernel.php - Registered ProfileSessionTimeout middleware
Documentation (2 files):
7. SESSION_EXPIRATION_ANALYSIS_2026-01-12.md - Analysis document
8. REMEMBER_ME_REMOVAL_2026-01-12.md - This document
Backward Compatibility
Breaking Changes ⚠️
-
Users with active Remember Me tokens will be logged out after their profile timeout expires (10-360 minutes depending on profile type)
-
No more 90-day sessions - Maximum session is now determined by profile_timeouts (currently max 360 minutes for Admins)
-
Session expiration behavior changed - Users will experience more frequent logouts based on inactivity
Migration Notes
For Users:
- No data loss
- Will need to log in more frequently
- Better security for their accounts
For Admins:
- Update privacy policy to remove Remember Me disclosure
- Monitor user feedback about session timeouts
- Consider adjusting profile_timeouts if needed
Privacy Policy Updates Required
Remove from Privacy Policy ⚠️
The following sections were added in the previous session and should now be REMOVED:
From Section 3.4 (Technical Data):
- **Online presence data** (for real-time messaging features)
- Online/offline status
- Last seen timestamp
- Recent activity for presence detection (within 5-minute threshold)
- Data is automatically deleted after inactivity or when you log out
- **Authentication tokens** (for "Remember Me" feature) ← REMOVE THIS
- Optional remember me token (stored for 90 days if enabled) ← REMOVE THIS
- Automatically deleted when you log out or token expires ← REMOVE THIS
From Section 9 (Security):
## Session Security
- Regular sessions expire after 2 hours of inactivity ← UPDATE THIS
- "Remember Me" feature (optional) keeps you logged in for 90 days ← REMOVE THIS
- Use only on trusted personal devices ← REMOVE THIS
- Always log out on shared or public computers ← REMOVE THIS
Update to Say Instead:
Section 9 (Security):
## Session Security
- Sessions expire automatically based on profile type and inactivity:
- User profiles: 10 minutes of inactivity
- Organization profiles: 60 minutes of inactivity
- Bank profiles: 30 minutes of inactivity
- Admin profiles: 6 hours of inactivity (to be reduced to 30 minutes)
- Sessions are encrypted and stored securely
- Automatic logout protects your account on shared computers
Known Issues / TODO
1. Admin Timeout Too Long ⚠️
Current: 360 minutes (6 hours) Recommended: 30 minutes
File: config/timebank_cc.php line 1413
App\Models\Admin::class => 360, // TODO: change to 30 for production
Action Required: Update to 30 minutes before production deployment
2. User Timeout Very Short
Current: 10 minutes Consideration: May be too aggressive for regular users
Recommendation: Consider increasing to 30 minutes based on user feedback
3. Session Sweep Lottery
The sessions table needs periodic cleanup. Laravel's session sweeper runs with lottery odds of 2/100.
Verify this is running:
# Check if old sessions are being cleaned up
mysql -u root -p timebank_cc -e "SELECT COUNT(*) as old_sessions FROM sessions WHERE last_activity < UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 2 HOUR));"
Rollback Instructions
If needed to rollback these changes:
1. Restore Remember Me Checkbox
git diff HEAD~1 resources/views/auth/login.blade.php
git checkout HEAD~1 -- resources/views/auth/login.blade.php
git checkout HEAD~1 -- resources/views/livewire/login.blade.php
git checkout HEAD~1 -- resources/views/livewire/registration.blade.php
2. Restore remember_me_days Config
git checkout HEAD~1 -- config/timebank_cc.php
git checkout HEAD~1 -- config/timebank_cc.php.example
git checkout HEAD~1 -- config/timebank-default.php
git checkout HEAD~1 -- config/timebank-default.php.example
3. Remove ProfileSessionTimeout Middleware
# Remove from Kernel.php
# Delete app/Http/Middleware/ProfileSessionTimeout.php
rm app/Http/Middleware/ProfileSessionTimeout.php
Deployment Checklist
- Code review - Review all changes
- Update privacy policy - Remove Remember Me disclosure
- Test session timeouts - Verify timeouts work for all profile types
- Monitor logs - Check for ProfileSessionTimeout log entries
- User communication - Notify users of changed session behavior
- Reduce admin timeout - Change from 360 to 30 minutes
- Clear cache -
php artisan config:clear - Restart queue workers - If using queue workers
Verification Commands
Check Config is Loaded
php artisan tinker
>>> config('timebank_cc.profile_timeouts')
>>> config('session.lifetime')
Test Middleware is Registered
php artisan route:list --middleware=web | grep ProfileSessionTimeout
Monitor Session Timeouts
# Watch application logs for timeout events
tail -f storage/logs/laravel.log | grep "Session timeout"
Conclusion
✅ Successfully removed Remember Me feature ✅ Implemented profile-based session timeouts ✅ Improved security with granular timeout control ✅ Better aligned with time banking security requirements
Next Steps
- Test thoroughly - Verify all profile types timeout correctly
- Update privacy policy - Remove Remember Me disclosure
- Reduce admin timeout - From 360 to 30 minutes for production
- Monitor user feedback - Adjust timeouts if needed
- Deploy to production - After testing complete
Report Generated: 2026-01-12 Implementation Status: Complete ✅ Testing Status: Pending ⏳ Deployment Status: Ready for testing