Sessions expiration time

[mporracindie]

As an enhancement request, I would like to ask for a configuration to change how long a session lasts until it gets logged out.

[Infraded]

The Opendistro docs for this plugin are sparse to say the least, but there are existing options for timeouts already.

In kibana.yml:

opendistro_security.cookie.ttl | Integer, lifetime of the cookie in milliseconds. Can be set to 0 for session cookie. Default: 1 hour

opendistro_security.session.ttl | Integer, lifetime of the session in milliseconds. If set, the user is prompted to log in again after the configured time, regardless of the cookie. Default: 1 hour

opendistro_security.session.keepalive | boolean, if set to true the session lifetime is extended by opendistro_security.session.ttl upon each request. Default: true

[snarmaev]

Hello, I have the same issue with the expiring session time in Kibana. However, I have set options to keep session for 24 hours in kibana.yml

opendistro_security.cookie.ttl: 86400000
opendistro_security.session.ttl: 86400000
opendistro_security.session.keepalive: true

Could you please help with this issue?

[ashuraits]

I experience the same issue, I have set the ttls for 7 days. I am using SAML authentication and the IDP session is 14 days. However, Kibana continues to logout users after 1 hour

[yuriydzobak]

The issue is still present =(

[fatalglitch]

Upvote... can we get some attention on this? We use OpenID Connect and the ODFE Security Plugin does not handle the session extension/timeout properly at all

[ronansalmon]

We use OpenID and we are seeing this as well. We've set the TTL on our IDP to 5 minutes. A tcpdump shows traffic to the IDP 5 minutes after being logged in, but the user can no longer access to anything. This is really disturbing from a user experience. Your are still logged in, no warning about your session being expired, but you don't have access to anything.

So I guess there are two issues here :

• Security Plugin does not handle the session extension/timeout properly
• The user is not logged out when session expires (or no warning/messages)

[linbingdouzhe]

same here . still logout over 1h

[geekyouth]

Please give me an advise how to solve this bug quickly???

[FranciscoKurpiel]

Is opendistro still active? If not, please update you main README.md to mark it as abandoned.

[bbrendon]

I don't see any documentation or source code supporting these options. Feel free to correct me if I'm wrong.

opendistro_security.cookie.ttl 
opendistro_security.session.ttl
opendistro_security.session.keepalive

[mvanderlee]

It's opensearch_security. as defined by the configPath https://github.com/opensearch-project/security-dashboards-plugin/blob/main/opensearch_dashboards.json

Options are defined here: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/index.ts

opensearch_security.cookie.ttl 
opensearch_security.session.ttl
opensearch_security.session.keepalive

[mvanderlee]

@AlexShuraits I had issues with SAML as well. My IDP's timeout is not being honored by OpenSearch and I had to manually set it.
More details here: #159 (comment)