Bug 1511014

Summary: if your session is idle but left in active tab, you are not logged-out
Product: Red Hat Satellite Reporter: Jan Hutař <jhutar>
Component: AuthenticationAssignee: Marek Hulan <mhulan>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: jhutar, mhulan, rplevka
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-16 11:55:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Hutař 2017-11-08 14:15:21 UTC 
Description of problem:
If your session is idle but left in active tab, you are not logged-out


Version-Release number of selected component (if applicable):
satellite-6.3.0-21.0.beta.el7sat.noarch (snap 24)


How reproducible:
always


Steps to Reproduce:
1. For easier testing, Administer -> Settings -> Authentication and set
   "Idle timeout" to 1 (i.e. minute)
2. Open new browser window, login and go to some page which is not
   auto-reloading (dashboard or task status page is usually autoreloading)
3. Put the window to some other desktop so you do not accidentally click at it
   and wait a minute
4. Return to the window and click on something


Actual results:
Notice you were not logged out


Expected results:
You should be redirected to login page
Comment 3 Jan Hutař 2017-11-08 14:19:06 UTC 
Even if this works as expected (well, I assume this regress use-case when admin leaves its workstation unprotected with Satellite WebUI opened), it should be IMO mentioned in some "noticeable changes" of the release notes.
Comment 4 Marek Hulan 2017-11-08 14:32:03 UTC 
Is that a documentation bug or what are we supposed to fix? Should we look into how notification refresh requests could session prolonging?
Comment 5 Jan Hutař 2017-11-09 06:53:54 UTC 
I do not know if this is a product or documentation bug. Depends what is expected behavior. If the loss of "admin forgets about its session so we log him off" use-case is expected, then this is just a docs bug as IMO we should notify about the change.
Comment 6 Roman Plevka 2017-11-09 10:48:47 UTC 
(In reply to Marek Hulan from comment #4)
> Is that a documentation bug or what are we supposed to fix? Should we look
> into how notification refresh requests could session prolonging?

Well, since there is a setting "idle timeout", i would assume it is referring to user idleness, not the pages, so the session should timeout if there is no user interaction for the specified time. This is not happening, since the page keeps talking to satellite using the users session cookie - i would say this is definitely not cool.
I think the same might apply to all the "autoreload" features around webui (e.g. dashboard).
the builtin ajax calls should be excluded from session cookie keep-alives
Comment 7 Marek Hulan 2018-04-16 11:55:21 UTC 
I think this is effectively a duplicate of BZ 1443505 so closing as such. Please reopen if I misunderstood the request. I tested on recent version (1.18) and it logs me out after idle interval even if the tab remains active.

*** This bug has been marked as a duplicate of bug 1443505 ***