Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce Session Timeout on UI #421

Closed
manjulaK opened this issue Apr 19, 2023 · 3 comments
Closed

Enforce Session Timeout on UI #421

manjulaK opened this issue Apr 19, 2023 · 3 comments
Assignees
@manjulaK
Labels
effort: low priority: high status: not-picked-yet At the moment we have not picked this item. Anyone can pick it up type: enhancement Feature enhacement
Projects
v2.1.0
Milestone
v2.1.0

Comments

@manjulaK
Copy link
Contributor

manjulaK commented Apr 19, 2023
edited
Loading

It is important that the UI times out after a preconfigured session limit (set in cdk.json). Current behaviour is that when refreshed a new session is started and user continues to be active . This is true for the all versions of data.all
@dlpzx dlpzx added type: enhancement Feature enhacement priority: high status: not-picked-yet At the moment we have not picked this item. Anyone can pick it up labels Apr 20, 2023
@dlpzx
Copy link
Contributor

dlpzx commented Apr 20, 2023

Hi @manjulaK, thanks for raising the issue. For reference here is some more detail on the issue: when a user logs in to data.all UI the authentication tokens provided last for 1h before they expire. If the user then refreshes the UI page, we request a new token, but the user does not need to log in again.

For security, we would like to force the logout of the user after the session has timed out. We will need to review the current implementation (frontend/src/hooks/useToken.js)

@dlpzx dlpzx mentioned this issue Apr 26, 2023
Closed
@manjulaK
Copy link
Contributor Author

What we have tested and confirmed so far : 1) Cognito does allow for refresh tokens to be set to be refreshed with a minimum of 60 mins 2)data.all by default allows sets this refresh value to 30 days . There should be a configuration parameter to enforce session timeout

@anmolsgandhi anmolsgandhi added this to Backlog in Data.all Backlog via automation Sep 7, 2023
@anmolsgandhi anmolsgandhi added this to the v2.1.0 milestone Sep 8, 2023
@anmolsgandhi anmolsgandhi moved this from Backlog to To do in Data.all Backlog Sep 10, 2023
@anmolsgandhi anmolsgandhi added this to To do in v2.1.0 Sep 15, 2023
@anmolsgandhi anmolsgandhi removed this from To do in Data.all Backlog Sep 15, 2023
@manjulaK manjulaK mentioned this issue Oct 12, 2023
Merged
@dlpzx dlpzx moved this from To do to Review in progress in v2.1.0 Oct 12, 2023
noah-paige pushed a commit that referenced this issue Oct 13, 2023
@manjulaK @kasturmp
Adding configurable session timeout to IDP (#786)
1801cf1 
### Feature or Bugfix
<!-- please choose -->
- Feature

### Detail
Allows user to configure a session timeout . Today data.all by default
sets the refresh token to 30 days but with this change it becomes
configurable

### Relates
#421

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Co-authored-by: Manjula <manjula.kasturi@gmail.com>
@dlpzx dlpzx moved this from Review in progress to Done in v2.1.0 Oct 16, 2023
@dlpzx
Copy link
Contributor

dlpzx commented Nov 8, 2023

Merged and released with v2.1.0 🚀

@dlpzx dlpzx closed this as completed Nov 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@manjulaK manjulaK

Labels
effort: low priority: high status: not-picked-yet At the moment we have not picked this item. Anyone can pick it up type: enhancement Feature enhacement
Projects
No open projects
v2.1.0
Done
Milestone
v2.1.0
Development

No branches or pull requests
3 participants
@manjulaK @dlpzx @anmolsgandhi