greenlight forces a new login every 7 days instead of refreshing

[anarcat]

It seems like greenlight logins have two modes:

• normal mode: require a new login every 24h
• extended mode: require a new login every 7 days (when the "remember me" box is checked)

It seems those timeouts are managed here:

greenlight/app/models/user.rb

Lines 127 to 136 in 3b0823c

	def generate_session_token!(extended_session: false)
	digest = User.generate_digest(SecureRandom.alphanumeric(40))
	expiry = extended_session ? 7.days.from_now : 24.hours.from_now
	update! session_token: digest, session_expiry: expiry
	rescue ActiveRecord::RecordInvalid
	raise unless errors.attribute_names.include? :session_token
	retry
	end

For me, those timeouts are fine, except for one thing: I would have expected them to apply only to idle sessions. If I check "remember me", for example, and use BBB all week, I don't expect to ever have to log back in unless I don't use BBB for more than 7 days.

In other words, why isn't the session refreshed on use and forcibly expired all the time?

Take GitHub, for example: even though it probably has some cookie lifetime here, I don't constantly have to login here every week! And indeed, the _gh_sess cookie has an "Expires" of Session, that is it doesn't expire until you close your browser session (or whatever how browsers interpret that). There's also a user_session that expires, for me, in a little over two weeks (on December 3rd), while it was created in October 2025...

Greenlight seems to have two session tokens:

• _greenlight-3_0_session: Expires: 7 days after creation
• _extend_session: Expires: Session

Is there some way greenlight could be configured so that we don't have to login every day or week, without going through some SSO dance, of course?