BOY SCOUTS OF AMERICA

Scouting Forums

Authenticating. Every. Single. Time

The authentication timeouts at Scoutbook and discussions.scouting.org are appropriate for a bank, but an unnecessary overhead for a communications platform. I’d like to request session cookies that are valid more like other social media platforms: Facebook and Pinterest will remember you until the next browser logout. The scouting tools would be more user friendly if they behaved similarly.
I’d hope for this to be extended to the Discourse app on mobile. It knows who I am well enough to display an unread message count when first opened, but then asks for login. Modern mobile apps retain credentials across exit/relaunch cycles, or at least allow a biometric identifier (FaceID, fingerprint) if in a “higher security” context (such as financial institutions).

3 Likes

BSA security has mandated the 30 minute timeout on all systems that contain personal information. Scoutbook and my.scouting.org both have such a timeout. We recommend using the volunteer written and supported Feature Assistant Extension for Scoutbook for Chrome and Firefox which provides a 5 minute timeout warning for Scoutbook.

We have requested the timeout limit for Discourse be increased since it does not include personal information.

Glad to hear there’s a request to take down barriers to making the Discourse user friendly. Who/what group is in position to approve or decline the request? I wholeheartedly agree with it, so if there’s a need for input from the target audience of this Discourse, please point to mine.

1 Like

I would add that if there were a bonafide mobile scoutbook app for smartphones, one should not have to re-authenticate every single time, since most are already having to unlock their phones prior to use (i.e authenticate). To my knowledge this is sufficient to meet FERPA and HIPAA standards on these devices when using email, so one would assume it should be sufficient for these purposes.

Oddly there is something in the Discourse app (which is a self-contained browser) which allows notifications without having to re-authenticate. Granted I still need to authenticate within the app if I want to read what has been posted in a thread.

Or at least within a native app, the device’s biometric authentication can be leveraged for the in-app authentication: my bank/credit card/investment provider apps all request my fingerprint to continue even if the phone is unlocked. A proper Scoutbook app could have this additional step if the device lock status alone is considered insufficient security.

But for this discussion forum, I want to see persistent authentication. I like to hear that there’s a request to have it increased, but “increased to 2 hours” would simultaneously qualify for increased, and not be the experience the platform should be providing. In order to turn to discussions.scouting.org as the communications hub for a Troop, we can’t have a barrier to participation show up every time they wish to contribute. The reauthentication request should be seen rarely to never.

The Scouting app (for parents and Scouts) can authenticate via a fingerprint or Face ID.

We have requested they set the Discourse timeout to a minimum of 24 hours but suggested more.

24 hours is nowhere near enough. It’s a fantasy to think that a busy parent is going to access this forum every single day to avoid having to reauthenticate.

I’ve been accessing Scoutbook via a homepage bookmark on iOS… from the last reply, I now see the Scouting App… are these both routes to the same back end info, or different places?

1 Like

Steve,

The reason you have to authenticate to Scoutbook every time you access it is because you have it saved as a web app on your iOS home page. iOS deletes the session cookies Scoutbook uses to maintain the 30 minute timeout every time you switch to a different app. We recommend bookmarking Scoutbook in Safari on iOS and using it that way. This will allow you to switch to other apps and back to Scoutbook and not log in again as long as it has been less than 30 minutes since your last server access.

Using Scoutbook as a web app will also prevent it from automatically logging in to Discourse when you click on the Forum link. This is an iOS limitation with the way cookies are handled for web apps.

1 Like

OK, that’s an incrementally better route, but I think I like the Scouting App better, tho I haven’t fully assessed the scope of what the Scouting App offers vs Scoutbook web interface.

I’m still quite curious who the folks in position to approve or deny the request to increase the Discourse timeout to > 24 hours are.

1 Like

It’s really a pain to login again every time. Not like forum experiences through Tapatalk, but it’s a Discourse-wide complaint, not limited to these forums.

It appears to be just a native browser window (Safari on iOS & Chrome on Android). I’m a Windows computer user and an iPhone device user.

If I save my login in info in Safari/Chrome, will it prevent me from having to enter it in the Discourse app? I haven’t figured out how to save a password in Safari, but assume I can get that far.

It’s comical: I’m sitting here with my phone in my hand, and I get a push notification with the start of DavidO’s response above. So the system knows my device.
I tap the notification, get taken to Discourse, and am presented with a login window.
I’m sure this can be made reasonable.

Are you using the Discourse app on your phone, accessing Discourse via a web app or via Safari? If you are accessing it via a web app then just like with Scoutbook, the cookies that hold your session information are deleted when you switch to another app.

Discourse is configured so you can read posts without logging in but you can not post. The Discourse app appears to require a log in to even read posts.

I’m using the app, a bookmark or Safari alone couldn’t receive a push notification.

The app appears to require login to read or post. The 1 hour timeout applies.

Right, and I view both of these facts as significant hinderances to adopting this as a Troop wide communications platform, so I’m here advocating for change.

I’m still seeking to know who’s in position to change the timeout period. If DavidO is correct and no Discourse Installation anywhere can leave a user authenticated for > 1 hour, Discourse was a regrettable choice for Scouting.

Our Troop needs to leave Yahoo Groups for messaging and group communications. If Scouting.org could provide that tool, great. But with the current timeouts, I couldn’t support that migration.

1 Like

We are not able to tell you who is in a position to change the timeout. The SUAC is advocating on behalf of the users for the timeout to be changed.

Discourse allows longer than a 1 hour timeout. The BSA decided to set it to 1 hour for their use.

I don’t understand why a 1 hour timeout is a show stopper for you. Yes, it is annoying, but every browser and mobile phone will allow credentials to be stored. When I’m using my iPhone, clicking on the ID field then the saved ID/PW only slows me down about 2 seconds. When using my computer, I have my ID/PW saved in the browser so again, it only delays about 2 seconds.

Because I don’t think users of any service should be subject to avoidable, unnecessary inconveniences. We should be taking down all reasonable barriers to adoption, not making excuses for how they’re not really a big deal.

1 Like

Steve - the old forums operated in the same manner. I do not think either this or the legacy forums were envisioned as something like group persistent chats. I think that is what it seems you want this to to be.

At the moment, the only thing I seek to change in the forum is the overhead in accessing it. The entry method locks every hour, so every single day (or 61 minute interval) that one wants to participate, they have to go through the digital equivalent of fumbling about for their keys to unlock the door.

I contend it’s unnecessary to lock the system at this frequency, and isn’t just irritating, but a disincentive for adoption.

If there’s a reason to lock every hour, please tell me. I’m listening.

1 Like

Perhaps there is something out there that meets your criteria and that would be a better solution than this. No scouting unit is required to use scoutbook.