New login and session management code on beta.fastmail.fm

We’ve just rolled out some new code on our beta server that significantly changes how sessions are managed. This new code reduces some overall session complexity, fixes some long term bugs, and adds some useful new features.

1. There’s now just 2 main types of sessions: normal & long term

   • normal – these expire after 2 hours of inactivity
   • long term (you check the “Keep me logged in” checkbox on login)
     – these expire after 30 days of inactivity, for most people
     on most machines, this is effectively forever

   (Note: The “Keep me logged in” checkbox has been broken for the last
   few months on the beta server, but now correctly creates a long term
   login session. Also the “lightbox” login screen within the new UI
   now correctly works.)

2. Logout will explicitly end a session

   If you want to explicitly end a session, use the “Log out” link at
   the top right of the page. If you want to keep a session, just close
   the browser tab/window and when you go back to the beta server,
   you’ll still be logged in (see below).

3. You can still log in to multiple different accounts

   We still support the ability to log in to multiple different user
   accounts at the same time on the same device/browser.

4. You can access existing logged in sessions from the login screen

   If your device/browser has any existing logged in sessions, we now
   show those sessions when you go to the login screen. Simply clicking
   on one of those sessions will send you straight back to that mailbox
   for that user.

   Although by default the login screen shows existing logged in
   sessions, clicking the “Log in to another account” link will allow
   you to log in to another account at the same time.

5. You can see (and remotely log out) all logged in web sessions on all
   devices/browsers

   We now track all sessions in our database and allow users to see all
   these sessions and remotely log out any of them individually.

   Just go to Options/Accounts –> Logged In Sessions to see all
   sessions in all devices/browsers. Currently only sessions created on
   http://beta.fastmail.fm can be deleted.

   (Note: Only web sessions are shown. IMAP/POP/XMPP/etc logins are
   shown on the Options -> Login Log screen)

One observation that some people might make is that with the old system, if you were logged into your account, and then closed your browser window/tab or went to http://beta.fastmail.fm again, it would appear that your existing session was automatically logged out, a nice security feature.

In fact that was never the case, the session was not logged out. Simply picking the right URL from your browser history would take you straight back in. There was just no visual indication on the login screen that this existing session was still present in your browser cookies, which is actually quite dangerous. The new system correctly shows any existing sessions on the login screen. If you want to end a session, you must use the “Log out” link at the top right of the page, whether you’re using the new system or the current system still at http://www.fastmail.fm.