"Remember me" functionality

#1

I’ve managed to setup Octa authentication with Spring Boot and login widget. It works. What doesn’t work is “Remember me” field on the login page. All it does, it remembers to check the box. The session time remains the same. After less than an hour of inactivity I am required to login again. How do I make it remember me? I expect not to be required to provide password for days.

#2

What type of login are you performing, a standard OAuth redirect?
“Remember me” should only remember the identity of the person, not the authenticated state. The length of your Okta sessions is controlled via your Okta Admin Console.

Does that help?

#3

I think it’s the standard OAuth one.

So Remember me is just for remembering user’s login and prefilling the form?

I can’t seem to find session length setting. I would expect it to be in Application settings, in General Settings tab I can’t find anything about it. Could you direct me to the right place?

Thank you for your help.

#4

So, you can’t find it as well?

#5

As an admin you can find it using the classic UI
Security->Authentication->Sign-On->Add Rule
Scroll down and it is named “session lifetime”.
The default is 2 hours


Keep in mind that it is a good idea to get your users to login as often as they can as it can bring a security concern (so if they leave their device unlocked, someone can’t access the application easily)

#6

Thank you for helping me finding the setting. By the way - having two UI seems very confusing. But I guess one day okta will migrate to single one.

#7

I’m glad that helped you, enjoy your day!

#8

Well, actually setting it, did not help. As I mentioned - I need login again after about half an hour of inactivity. So default 2 hours (which you showed me how to extend) were never working.

My setup is OAuth with Spring Boot. I use okta-spring-boot-starter 1.0.0 in pom.xml. To set everything up I followed multitude of okta blog posts and docs. In the end whole okta setup consists of application.yml settings: okta.oauth2.* and spring.security.oath2.* and authentication enabled in Application by configuring OAuth2SecurityConfigurerAdapter. I have no customized anything more, authentication works, but sessions last less than half an hour. What might be the problem?

#9

I’m assuming since your doing spring boot it is some sort of web application, if the user uses okta in any other format then that should keep the session alive without having to use your application.

Alternatively you could create a listener class in your application that runs a timer and retrieves the token continuously after a set amount of time.

or if it is a webpage, you could force the user to refresh the page (thus retrieving the token) after a set amount of time.

Otherwise if you just want the remember me function you could try cookies and input it that way (although I absolutely do not recommend this for passwords so you will still need to type it in). You could also use chrome or the okta plugin to remember the password for you. (you will still have to update it every now and then as it will not be updated if the password changes and you should not design with this in mind unless you absolutely have to).

Honestly you should probably try to adapt the program around this measure for security. I can’t think of any application that has no user interaction for 30 mins, nevermind days.

Let me know if this helps!