this post was submitted on 10 Mar 2025
36 points (100.0% liked)
sh.itjust.works Main Community
8224 readers
1 users here now
Home of the sh.itjust.works instance.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
So I've just tested something and it seems lemmy devs haven't set a default expiry time for the login jwt tokens, or it's something stupidly long.
Logging out clears the cookie from your browser, but not in the server database, which isn't atypical and mostly fine, or at least would be fine if the server's expired sooner than later.
Just to be sure, I just tested that a password change does indeed purge those from the database, so that works at least.
I'll try and see what we can implement locally (hopefully without breaking everything) to purge these more frequently.
Removing these faster also means forcing people to re-enter their credentials more frequently.
I can't find anywhere to configure that, neither in the instance settings nor in user settings, which probably means it's whatever lemmy devs set as default.
Anyway, thanks for the question, because it's dumber than I thought.
Would it be possible to reset the purge timer for individual users based on activity? e.g. A user who comments or up/downvotes something gets their purge timer reset, so that active users never get purged unless they change their password or similar. Not sure how easy it is to tie activity data to a login token, I have no idea how Lemmy or anything else works.
Lemmy could keep the last time each token was used (every request uses it), but then it'd do a lot of writes and likely be a somewhat poor choice for performance reasons.
Some sites display your other current logins with an option to remove whichever as you see fit, which seems more elegant.
Putting the user in control seems more ideal than guessing.