Bug 1397571

Summary: Implement session timeout in web interface
Product: OpenShift Container Platform Reporter: Michael Epley <mepley>
Component: RFEAssignee: Jessica Forrester <jforrest>
Status: CLOSED NEXTRELEASE QA Contact: Xiaoli Tian <xtian>
Severity: low Docs Contact:
Priority: low    
Version: 3.4.0CC: aos-bugs, erich, jliggitt, jokerman, mepley, mmccomas, sspeiche
Target Milestone: ---Flags: erich: needinfo? (mepley)
Target Release: 3.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-19 15:12:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Michael Epley 2016-11-22 20:38:11 UTC
Description of problem:

Openshift's web interface should periodically check the user's current logged in user to ensure the sesssion token is still valid. On invalidation, the session should expire and the user interface should be redirected to the login page (or other destination). This is a requirement of NIST 800-53 AC-11(1).

Version-Release number of selected component (if applicable):

OCP 3.3

How reproducible:

Perfectly; this is not a current capability of openshift.

Steps to Reproduce:
1. Access the web interface of an OCP cluster configured via default settings.
2. Log into the web interface; leave the web interface up.
3. Wait 24 hours.

Actual results:

The web interface is still displayed.

Expected results:

The user is automatically logged out (and their session expired) of the web interface after a (configurable) period of inactivity -- a default of 15 minutes is ideal. The user should be redirected to the login web page.

Additional info:

Comment 4 Steve Speicher 2018-01-19 15:40:52 UTC
Correction, this is coming in 3.9. Wrong trello card was linked.