Autologin when using LDAP #1546

New Issue

OVERLORD · 2026-02-05T01:12:01+03:00

OVERLORD commented

2026-02-05 01:12:01 +03:00

Originally created by @Windoze345 on GitHub (Feb 19, 2020).

When using local authentication I can set a checkbox to stay logged in even when i close my browser window. After switching to LDAP authentication (using Active Directory) the checkbox disappears.

I would like to stay logged in AND use LDAP as authentication source.

Originally created by @Windoze345 on GitHub (Feb 19, 2020). When using local authentication I can set a checkbox to stay logged in even when i close my browser window. After switching to LDAP authentication (using Active Directory) the checkbox disappears. I would like to stay logged in AND use LDAP as authentication source.

OVERLORD added the 🌔 Out of scope 🔨 Feature Request 🚪 Authentication labels 2026-02-05 01:12:01 +03:00

OVERLORD closed this issue

2026-02-05 01:12:06 +03:00

OVERLORD commented

2026-02-05 01:12:11 +03:00

@ssddanbrown commented on GitHub (Feb 19, 2020):

Hi @Windoze345,

I specifically removed "Remember Me" functionality from LDAP in the latest release because it doesn't fit into the model of the LDAP system being authoritative, and could be an easily-missed hole in security, where access could be revoked on the LDAP system but the user would remain logged in.

The default session lifetime is two hours. You can increase this if wished for by setting the following in your .env file:

SESSION_LIFETIME=120

@ssddanbrown commented on GitHub (Feb 19, 2020): Hi @Windoze345, I specifically removed "Remember Me" functionality from LDAP in the latest release because it doesn't fit into the model of the LDAP system being authoritative, and could be an easily-missed hole in security, where access could be revoked on the LDAP system but the user would remain logged in. The default session lifetime is two hours. You can increase this if wished for by setting the following in your `.env` file: ```bash SESSION_LIFETIME=120 ```

OVERLORD commented

2026-02-05 01:12:16 +03:00

@Windoze345 commented on GitHub (Feb 20, 2020):

Hi @ssddanbrown,

I agree that LDAP should be the authority when enabled.
I think it would still be possible to keep the autologin functionality if the system queries LDAP after using the saved session and logout the user if the permissions have been revoked on the LDAP server. So basically use the saved session to simulate a fresh login using name and password.

The only situation where this will not work is when you use anonymous binding to the LDAP server, since you don't have the login credentials anymore. But if you use an authenticated bind you could query the user details by id alone.

@Windoze345 commented on GitHub (Feb 20, 2020): Hi @ssddanbrown, I agree that LDAP should be the authority when enabled. I think it would still be possible to keep the autologin functionality if the system queries LDAP after using the saved session and logout the user if the permissions have been revoked on the LDAP server. So basically use the saved session to simulate a fresh login using name and password. The only situation where this will not work is when you use anonymous binding to the LDAP server, since you don't have the login credentials anymore. But if you use an authenticated bind you could query the user details by id alone.

OVERLORD commented

2026-02-05 01:12:17 +03:00

@ssddanbrown commented on GitHub (Jul 12, 2020):

I can't really see a clean way to do this that won't open up more security concerns. Sure we could save a longer-lived session and re-check the LDAP system but what criteria would be used to determine continued authentication success? That might be very much dependent on the config/setup of the particular LDAP system, therefore this config option would need additional configuration options itself & that's not really a level I want to delve into.

@ssddanbrown commented on GitHub (Jul 12, 2020): I can't really see a clean way to do this that won't open up more security concerns. Sure we could save a longer-lived session and re-check the LDAP system but what criteria would be used to determine continued authentication success? That might be very much dependent on the config/setup of the particular LDAP system, therefore this config option would need additional configuration options itself & that's not really a level I want to delve into.

OVERLORD commented

2026-02-05 01:12:20 +03:00

@ssddanbrown commented on GitHub (Feb 8, 2021):

I'm gonna go ahead and close this off as out of scope since I cannot see a clean, worthwhile, easily maintainable way, and since it would likely need to handle opinionated re-auth logic.

@ssddanbrown commented on GitHub (Feb 8, 2021): I'm gonna go ahead and close this off as out of scope since I cannot see a clean, worthwhile, easily maintainable way, and since it would likely need to handle opinionated re-auth logic.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1546