New login and session management code on beta.fastmail.fm

Post categories

Profile picture for Rob Mueller

Founder & CTO

We’ve just rolled out some new code on our beta server that significantly changes how sessions are managed. This new code reduces some overall session complexity, fixes some long term bugs, and adds some useful new features.

  1. There’s now just 2 main types of sessions: normal & long term

    • normal – these expire after 2 hours of inactivity
    • long term (you check the “Keep me logged in” checkbox on login)
      – these expire after 30 days of inactivity, for most people
      on most machines, this is effectively forever

    (Note: The “Keep me logged in” checkbox has been broken for the last
    few months on the beta server, but now correctly creates a long term
    login session. Also the “lightbox” login screen within the new UI
    now correctly works.)

  2. Logout will explicitly end a session

    If you want to explicitly end a session, use the “Log out” link at
    the top right of the page. If you want to keep a session, just close
    the browser tab/window and when you go back to the beta server,
    you’ll still be logged in (see below).

  3. You can still log in to multiple different accounts

    We still support the ability to log in to multiple different user
    accounts at the same time on the same device/browser.

  4. You can access existing logged in sessions from the login screen

    If your device/browser has any existing logged in sessions, we now
    show those sessions when you go to the login screen. Simply clicking
    on one of those sessions will send you straight back to that mailbox
    for that user.

    Although by default the login screen shows existing logged in
    sessions, clicking the “Log in to another account” link will allow
    you to log in to another account at the same time.

  5. You can see (and remotely log out) all logged in web sessions on all
    devices/browsers

    We now track all sessions in our database and allow users to see all
    these sessions and remotely log out any of them individually.

    Just go to Options/Accounts –> Logged In Sessions to see all
    sessions in all devices/browsers. Currently only sessions created on
    http://beta.fastmail.fm can be deleted.

    (Note: Only web sessions are shown. IMAP/POP/XMPP/etc logins are
    shown on the Options -> Login Log screen)

One observation that some people might make is that with the old system, if you were logged into your account, and then closed your browser window/tab or went to http://beta.fastmail.fm again, it would appear that your existing session was automatically logged out, a nice security feature.

In fact that was never the case, the session was not logged out. Simply picking the right URL from your browser history would take you straight back in. There was just no visual indication on the login screen that this existing session was still present in your browser cookies, which is actually quite dangerous. The new system correctly shows any existing sessions on the login screen. If you want to end a session, you must use the “Log out” link at the top right of the page, whether you’re using the new system or the current system still at http://www.fastmail.fm.

Profile picture for Rob Mueller

Founder & CTO