We’ve just rolled out some new code on our beta server that significantly changes how sessions are managed. This new code reduces some overall session complexity, fixes some long term bugs, and adds some useful new features.
- There’s now just 2 main types of sessions: normal & long term
- normal – these expire after 2 hours of inactivity
- long term (you check the “Keep me logged in” checkbox on login) – these expire after 30 days of inactivity, for most people on most machines, this is effectively forever
(Note: The "Keep me logged in" checkbox has been broken for the last few months on the beta server, but now correctly creates a long term login session. Also the "lightbox" login screen within the new UI now correctly works.)
- Logout will explicitly end a session
If you want to explicitly end a session, use the "Log out" link at the top right of the page. If you want to keep a session, just close the browser tab/window and when you go back to the beta server, you’ll still be logged in (see below).
- You can still log in to multiple different accounts
We still support the ability to log in to multiple different user accounts at the same time on the same device/browser.
- You can access existing logged in sessions from the login screen
If your device/browser has any existing logged in sessions, we now show those sessions when you go to the login screen. Simply clicking on one of those sessions will send you straight back to that mailbox for that user.
Although by default the login screen shows existing logged in sessions, clicking the "Log in to another account" link will allow you to log in to another account at the same time.
- You can see (and remotely log out) all logged in web sessions on all devices/browsers
We now track all sessions in our database and allow users to see all these sessions and remotely log out any of them individually.
Just go to Options/Accounts –> Logged In Sessions to see all sessions in all devices/browsers. Currently only sessions created on http://beta.fastmail.fm can be deleted.
(Note: Only web sessions are shown. IMAP/POP/XMPP/etc logins are shown on the Options -> Login Log screen)
One observation that some people might make is that with the old system, if you were logged into your account, and then closed your browser window/tab or went to http://beta.fastmail.fm again, it would appear that your existing session was automatically logged out, a nice security feature.
In fact that was never the case, the session was not logged out. Simply picking the right URL from your browser history would take you straight back in. There was just no visual indication on the login screen that this existing session was still present in your browser cookies, which is actually quite dangerous. The new system correctly shows any existing sessions on the login screen. If you want to end a session, you must use the "Log out" link at the top right of the page, whether you’re using the new system or the current system still at http://www.fastmail.fm.