h logs users out too frequently

[seanh]

Related: #8948

Inactive h users get logged out after seven days when their auth ticket expires, whereas active h users get logged out every thirty days when their auth cookie expires.

Both seven days and thirty days are far too aggressive: the inconvenience to our users (and likely resulting negative effect on user retention) for outweighs any improved security we might be getting by logging users out so often.

[seanh]

Possible solution:

1. Inactive users stay logged in for much longer than currently, at least six months. I'd say one year.
2. Active users stay logged in forever. As long as you make at least one request every year, you will never be logged out.

This is slightly complicated to implement. You have to track whether the user is active so you have to do something each time a user makes a request such as refreshing a cookie or ticket. (The current implementation does this by refreshing tickets).

Simpler version:

• Both active and inactive users stay logged in forever, logins never time out at all.

This is simpler because we don't need to keep track of whether a user is active or not, so there's no need to refresh any cookie or tickets. Cookies and tickets don't even have expiry times.

A problem with this is that we have no way to purge no-longer-needed auth tickets from our DB. If auth tickets never expire then we can never purge any of them. Currently, h regularly purges auth tickets that've passed their expiry time. There may be other things we can do to prevent the auth_ticket table from growing too large, e.g. have only one ticket per user (shared by all that user's auth cookies).

Both solutions still need to deal with #8948 (the problem of the user getting logged out while they have a tab still open). In the first solution if a user leaves a tab open for a year (!) and is not active in any other tabs and then tries to return to the old tab, they'll see errors. In both solutions if the user has multiple tabs open and logs out in one tab and then tries to return to another open tab they'll run into errors.

[robertknight]

I think we probably do want some eventual expiry time for logins, but it can be longer than it is today. For inactive users, we probably want it to be at least a month but not more than a year. If the duration is long enough, I don't think it is a big problem if active users are occasionally logged out. This happens to me with many of the services I use.