Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session Timeout? #1943

Closed
adamamyl opened this issue Sep 22, 2014 · 3 comments
Closed

Session Timeout? #1943

adamamyl opened this issue Sep 22, 2014 · 3 comments
Assignees
@brew
Milestone
CKAN 2.3

Comments

@adamamyl
Copy link
Contributor

Pondering the idea of something to automatically handle session time outs —

The CKAN application does not appear to have any form of session expiry in place. Session expiry is important to ensure that unauthorised use of the application is not possible in situations such as a user forgetting to shut down their browser or leaving their workstation unattended for extended periods.

Suggested fix

Functionality needs to be developed, or enabled if it is already present, to expire a user’s session on the server side, in effect logging them out of the application after a predefined interval of inactivity.

— is this an issue, per se, or something that's more of a social issue (aka lock your workstation when you leave)?

(origin: pentest)
@amercader
Copy link
Member

This can probably be handled via beaker configuration. Investigate and document if necessary.

@davidmiller
Copy link

Presumably http://beaker.readthedocs.org/en/latest/configuration.html#session-options ?

@amercader amercader added this to the CKAN 2.3 milestone Oct 22, 2014
@amercader amercader assigned brew and unassigned adamamyl Oct 23, 2014
@brew
Copy link
Member

brew commented Oct 29, 2014

tl;dr: How long should sessions last?

As far as I can see authentication doesn't use beaker. The authentication session is handled by Repoze.who with an authentication ticket object stored as the value of a auth_tkt cookie. The ticket has a timestamp which is compared against a timeout value (if present in who.ini). If there is no timeout value present the session doesn't expire until the cookie does (set into the far future by default).

With this version of Repoze.who (1.0.19), it's not possible to set max_age for the cookie (at least, not easily), but we can set the timeout value, which effectively achieves the same thing. So, how long should a session last?

brew added a commit to brew/ckan that referenced this issue Oct 29, 2014
@brew
[ckan#1943] Add timeout and reissue_time to who.ini
878a15b
brew added a commit to brew/ckan that referenced this issue Oct 29, 2014
@brew
[ckan#1943] PEP8
6bf47f4
brew added a commit to brew/ckan that referenced this issue Oct 29, 2014
@brew
[ckan#1943] Set timeout and reissue_time from config.
679ff0d 
Can set the session timeout and reissue_time from the config file if
these aren't provided by who.ini. New config settings:

who.timeout
who.reissue_time
brew added a commit to brew/ckan that referenced this issue Oct 29, 2014
@brew
[ckan#1943] Add settings to development template
cae9239
brew added a commit to brew/ckan that referenced this issue Oct 29, 2014
@brew
[ckan#1943] Remove who.reissue_time from dev template.
f2aa14c 
This provides too fine-grained control for most users. So leaving it out
of the template (though leaving use of the setting in the code).
brew added a commit to brew/ckan that referenced this issue Oct 29, 2014
@brew
[ckan#1943] Add session timeout to docs
a3ff6fe
@brew brew mentioned this issue Oct 29, 2014
Merged
brew added a commit to brew/ckan that referenced this issue Oct 29, 2014
@brew
[ckan#1943] Fix malformed link is docs
3ba87f8
brew added a commit to brew/ckan that referenced this issue Oct 30, 2014
@brew
[ckan#1943] Inactive by default (non-expiring)
70ca1e6
brew added a commit to brew/ckan that referenced this issue Nov 14, 2014
@brew
[ckan#1943] Add timeout and reissue_time to who.ini
ca37c74
brew added a commit to brew/ckan that referenced this issue Nov 14, 2014
@brew
[ckan#1943] PEP8
0b0d44e
brew added a commit to brew/ckan that referenced this issue Nov 14, 2014
@brew
[ckan#1943] Set timeout and reissue_time from config.
b048eda 
Can set the session timeout and reissue_time from the config file if
these aren't provided by who.ini. New config settings:

who.timeout
who.reissue_time
brew added a commit to brew/ckan that referenced this issue Nov 14, 2014
@brew
[ckan#1943] Add settings to development template
2200ba8
brew added a commit to brew/ckan that referenced this issue Nov 14, 2014
@brew
[ckan#1943] Remove who.reissue_time from dev template.
fd52814 
This provides too fine-grained control for most users. So leaving it out
of the template (though leaving use of the setting in the code).
brew added a commit to brew/ckan that referenced this issue Nov 14, 2014
@brew
[ckan#1943] Add session timeout to docs
df18a17
brew added a commit to brew/ckan that referenced this issue Nov 14, 2014
@brew
[ckan#1943] Fix malformed link is docs
c03e2cd
brew added a commit to brew/ckan that referenced this issue Nov 14, 2014
@brew
[ckan#1943] Inactive by default (non-expiring)
d1934ce
brew added a commit to brew/ckan that referenced this issue Nov 14, 2014
@brew
[ckan#1943] Resolve conflict
ff1bfde
brew added a commit to brew/ckan that referenced this issue Nov 20, 2014
@brew
[ckan#1943] Removed example config from who.ini.
296c3b2 
All config should be centralized to the .ini files.
brew added a commit to brew/ckan that referenced this issue Nov 20, 2014
@brew
[ckan#1943] Move session config to lib/auth_tkt
c260d58
@brew brew closed this as completed Nov 24, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brew brew

Labels
None yet
Projects
None yet
Milestone
CKAN 2.3
Development

No branches or pull requests
4 participants
@brew @davidmiller @adamamyl @amercader