[User Testing] User Login
This feature testing stage has been completed.
Users should be able to login in a secure fashion using the
[options] disable_http_login is set to
1, cookies use the
SameSite=strict attributes. When it is set to
0, of course, the converse happens -- completely insecure cookies are used.
Intended session persistence timing:
Remember Me checked:
2592000 seconds (30 days)
7200 seconds (2 hours)
Caveat: The PHP implementation re-emits cookies without secure or samesite attributes. So, if users are switching between PHP and FastAPI on a local Docker instance configured on different ports, browsing around authenticated PHP will mean that the next browsing of FastAPI will be unauthenticated. This is due to how clients handle cookies emission: they store cookies for localhost (regardless of the port). This may also occur on aur-dev.archlinux.org as versions are changed.
- #184 (closed) - Fixed infinite redirection loop
- #197 (closed) - Fixed conflicting session ID generation
- !322 (merged)
Following is a list of reporters who have contributed to helping test this feature which is updated as feedback is provided.