Skip to content

feat: real, admin-configurable session timeout + cookie hardening (B4)#64

Merged
ball42 merged 6 commits into
developfrom
fix/j6-session-timeout
Jul 9, 2026
Merged

feat: real, admin-configurable session timeout + cookie hardening (B4)#64
ball42 merged 6 commits into
developfrom
fix/j6-session-timeout

Conversation

@ball42

@ball42 ball42 commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Makes the console session timeout real and admin-configurable, and hardens session cookies (internal ref J6 / B4). Verified against the smoke harness.

B4 — the 15-minute timeout was never enforced

permanent_session_lifetime was set but session.permanent was never set, so Flask never applied the lifetime — the sliding-window heartbeat pushed against a limit that didn't govern, and the timeout-warning modal advertised a window the server didn't enforce.

  • Set session.permanent = True on login success so the lifetime actually governs.
  • before_request now resolves the configured timeout each request and applies it (change takes effect with no restart).
  • Session cookies hardened: Secure, HttpOnly, SameSite=Lax.

New — admin-configurable timeout

Setup now offers a session-timeout dropdown: 15 minutes (default) / 1 hour / 4 hours / 8 hours, stored in server.json. This addresses reports of getting logged out mid-workflow-testing (lining up devices, enrolling, monitoring Jamf takes time) without weakening the default.

  • The 15-minute default is unchanged and remains the most secure option.
  • The 4h/8h tiers are labeled Extended with inline security-trade-off copy — a signed-in console left unattended is exposed for longer, so the choice is deliberate.
  • No "never expire" option (deliberately excluded — poor posture on a console that can push automations).
  • Fail-safe: any missing, malformed, off-ladder, or non-object server.json resolves to 15 minutes — never longer. A hand-edited/corrupt config can never open a longer window or crash the console.

Modal accuracy

The timeout-warning modal now counts down against the effective configured timeout (server-injected), so it never advertises a window the server doesn't enforce.

Tests

New tests/test_session.py: ladder resolution + fail-safe (incl. bools/floats/non-dict config), enforcement, cookie flags, /setup round-trip + off-ladder clamp, and the modal's injected value. Full suite green (78 passed, 2 xfailed), ruff clean.

Notes

  • The extended tiers are a deliberate, admin-labeled trade-off — documented so the posture isn't "fixed" blind later.
  • Per-boot secret key still caps effective session lifetime at the next restart regardless of setting (unchanged; out of scope).
  • Targets develop for the batched v3.2 release.

ball42 added 6 commits July 8, 2026 13:32
The client-side timeout warning modal now counts down against the
effective server-resolved timeout instead of a hardcoded 15 minutes,
so it never advertises a window longer than the server enforces.

inject_common_vars now exposes session_timeout_seconds (deferred import
of _resolve_session_timeout to avoid a circular import), and the modal
JS reads it with a default(900) guard. Also wires the /setup timeout
help note to its select via aria-describedby.
@ball42 ball42 merged commit 81839d1 into develop Jul 9, 2026
2 checks passed
@ball42 ball42 deleted the fix/j6-session-timeout branch July 9, 2026 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant