Merge branch 'dblessing_remember_me_application_setting_admin_ui' into 'master'

Frontend (admin area) to allow remember me to be disabled See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119381 Merged-by: charlie ablett <cablett@gitlab.com> Approved-by: Miguel Rincon <mrincon@gitlab.com> Approved-by: Jon Glassman <jglassman@gitlab.com> Approved-by: Ross Byrne <robyrne@gitlab.com> Approved-by: Halil Coban <hcoban@gitlab.com> Approved-by: charlie ablett <cablett@gitlab.com> Reviewed-by: Drew Blessing <drew@gitlab.com> Co-authored-by: Jon Glassman <jglassman@gitlab.com> Co-authored-by: Drew Blessing <drew@gitlab.com>

Merge branch 'dblessing_remember_me_application_setting_admin_ui' into 'master'
Frontend (admin area) to allow remember me to be disabled See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119381 Merged-by: charlie ablett <cablett@gitlab.com> Approved-by: Miguel Rincon <mrincon@gitlab.com> Approved-by: Jon Glassman <jglassman@gitlab.com> Approved-by: Ross Byrne <robyrne@gitlab.com> Approved-by: Halil Coban <hcoban@gitlab.com> Approved-by: charlie ablett <cablett@gitlab.com> Reviewed-by: Drew Blessing <drew@gitlab.com> Co-authored-by: Jon Glassman <jglassman@gitlab.com> Co-authored-by: Drew Blessing <drew@gitlab.com>
13c2936e · charlie ablett · aa3fc6b7 · 6ce7595d · 13c2936e · 13c2936e
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -349,6 +349,7 @@ def visible_attributes
      :repository_storages_weighted,
      :require_admin_approval_after_user_signup,
      :require_two_factor_authentication,
+      :remember_me_enabled,
      :restricted_visibility_levels,
      :rsa_key_restriction,
      :session_expire_delay,

--- a/app/views/admin/application_settings/_account_and_limit.html.haml
+++ b/app/views/admin/application_settings/_account_and_limit.html.haml
@@ -30,6 +30,11 @@
      = f.label :session_expire_delay, _('Session duration (minutes)'), class: 'label-light'
      = f.number_field :session_expire_delay, class: 'form-control gl-form-input', title: _('Maximum duration of a session.'), data: { toggle: 'tooltip', container: 'body' }
      %span.form-text.text-muted#session_expire_delay_help_block= _('Restart GitLab to apply changes.')
+    .form-group
+      = f.label :remember_me_enabled, _('Remember me'), class: 'label-light'
+      - remember_me_help_link = help_page_path('user/profile/index.md', anchor: 'stay-signed-in-for-two-weeks')
+      - remember_me_help_link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: remember_me_help_link }
+      = f.gitlab_ui_checkbox_component :remember_me_enabled, _('Allow users to extend their session'), help_text: _("Users can select 'Remember me' on sign-in to keep their session active beyond the session duration. %{link_start}Learn more.%{link_end}").html_safe % { link_start: remember_me_help_link_start, link_end: '</a>'.html_safe }
    = render_if_exists 'admin/application_settings/git_two_factor_session_expiry', form: f
    = render_if_exists 'admin/application_settings/personal_access_token_expiration_policy', form: f

--- a/doc/user/admin_area/settings/account_and_limit_settings.md
+++ b/doc/user/admin_area/settings/account_and_limit_settings.md
@@ -176,17 +176,32 @@ wiki, packages, or snippets. The repository size limit applies to both private a
 For details on manually purging files, see [reducing the repository size using Git](../../project/repository/reducing_the_repo_size_using_git.md).
-## Customize the default session duration
+## Session duration
-You can change how long users can remain signed in.
+### Customize the default session duration
+You can change how long users can remain signed in without activity.
 1. On the top bar, select **Main menu > Admin**.
 1. On the left sidebar, select **Settings > General**.
 1. Expand **Account and limit**. The set duration is in **Session duration (minutes)**.
+If [Remember me](#turn-remember-me-on-or-off) is enabled, users' sessions can remain active for an indefinite period of time.
 For details, see [cookies used for sign-in](../../profile/index.md#cookies-used-for-sign-in).
-## Customize session duration for Git Operations when 2FA is enabled **(PREMIUM SELF)**
+### Turn **Remember me** on or off
+> Ability to turn the **Remember me** setting on and off [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/369133) in GitLab 16.0.
+Users can select the **Remember me** checkbox on sign-in, and their session will remain active for an indefinite period of time when accessed from that specific browser. You can turn off this setting if you need sessions to expire for security or compliance purposes. Turning off this setting will ensure users' sessions expire after the number of minutes of inactivity set when you [customize your session duration](#customize-the-default-session-duration).
+1. On the top bar, select **Main menu > Admin**.
+1. On the left sidebar, select **Settings > General**.
+1. Expand **Account and limit**.
+1. Select or clear the **Remember me** checkbox to turn this setting on or off.
+### Customize session duration for Git Operations when 2FA is enabled **(PREMIUM SELF)**
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/296669) in GitLab 13.9.
 > - It's deployed behind a feature flag, disabled by default.

--- a/doc/user/profile/index.md
+++ b/doc/user/profile/index.md
@@ -318,25 +318,27 @@ To view a summary of your activity, or the activity of other users:
 1. In the GitLab menu, select **Activity**.
 1. Select the **Followed users** tab.
-## Stay signed in for two weeks
+## Session duration
+### Stay signed in for two weeks
+By default, you are signed out of GitLab after seven days (10080 minutes) of inactivity or until you close your browser
+window, whichever comes first.
-By default, you are signed out of GitLab every seven days, or 10080 minutes.
 GitLab administrators can
 [change this default](../admin_area/settings/account_and_limit_settings.md#customize-the-default-session-duration).
-To extend the duration to two weeks:
+### Stay signed in indefinitely
- On the GitLab sign-in page, select the **Remember me** checkbox.
-## Stay signed in indefinitely
+> Ability to turn the **Remember me** setting on and off [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/369133) in GitLab 16.0.
-To remain signed in indefinitely:
+To remain signed in indefinitely, select the **Remember me** checkbox on the GitLab sign-in page.
-1. On the GitLab sign-in page, select the **Remember me** checkbox.
+You remain signed in because, although the server sets a session time of one week, your browser stores a secure token
-1. Access GitLab at least once every two weeks, and leave your browser open.
+that enables automatic reauthentication.
-You remain signed in because, although the server sets a time-to-live (TTL) of one week on your browser session,
+GitLab administrators can [turn off the **Remember me** setting](../admin_area/settings/account_and_limit_settings.md) for environments
-the server continues to reset the TTL, regardless of whether 2FA is installed.
+that require sessions to expire periodically for security or compliance purposes.
 ### Cookies used for sign-in

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -4532,6 +4532,9 @@ msgstr ""
 msgid "Allow use of licensed EE features"
 msgstr ""
+msgid "Allow users to extend their session"
+msgstr ""
 msgid "Allow users to register any application to use GitLab as an OAuth provider"
 msgstr ""
@@ -48772,6 +48775,9 @@ msgstr ""
 msgid "Users can request access (if visibility is public or internal)"
 msgstr ""
+msgid "Users can select 'Remember me' on sign-in to keep their session active beyond the session duration. %{link_start}Learn more.%{link_end}"
+msgstr ""
 msgid "Users cannot be added to projects in this group"
 msgstr ""
--- a/spec/controllers/admin/application_settings_controller_spec.rb
+++ b/spec/controllers/admin/application_settings_controller_spec.rb
@@ -205,7 +205,7 @@
    end
    context 'boolean attributes' do
-      shared_examples_for 'updates booolean attribute' do |attribute|
+      shared_examples_for 'updates boolean attribute' do |attribute|
        specify do
          existing_value = ApplicationSetting.current.public_send(attribute)
          new_value = !existing_value
@@ -217,10 +217,11 @@
        end
      end
-      it_behaves_like 'updates booolean attribute', :user_defaults_to_private_profile
+      it_behaves_like 'updates boolean attribute', :user_defaults_to_private_profile
-      it_behaves_like 'updates booolean attribute', :can_create_group
+      it_behaves_like 'updates boolean attribute', :can_create_group
-      it_behaves_like 'updates booolean attribute', :admin_mode
+      it_behaves_like 'updates boolean attribute', :admin_mode
-      it_behaves_like 'updates booolean attribute', :require_admin_approval_after_user_signup
+      it_behaves_like 'updates boolean attribute', :require_admin_approval_after_user_signup
+      it_behaves_like 'updates boolean attribute', :remember_me_enabled
    end
    context "personal access token prefix settings" do