Bug 921013

Summary: REST-API: Allow client to define the HTTP session TTL [scale]
Product: Red Hat Enterprise Virtualization Manager Reporter: Michael Pasternak <mpastern>
Component: ovirt-engine-restapiAssignee: Michael Pasternak <mpastern>
Status: CLOSED CURRENTRELEASE QA Contact: vvyazmin <vvyazmin>
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: acathrow, bazulay, dyasny, hateya, iheim, lnatapov, mpastern, oramraz, Rhev-m-bugs, vvyazmin, ykaul
Target Milestone: ---   
Target Release: 3.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: sf13-beta2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 926931 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 926931    

Description Michael Pasternak 2013-03-13 10:14:58 UTC 
Description of problem:

Currently we do not specify TTL for HTTP session used for authentication,
so used default, but even if we would do that, we should allow client to 
specify session TTL manually (via HTTP header) as user may have different
use-cases that may require long run sessions.
Comment 1 vvyazmin@redhat.com 2013-03-13 11:48:19 UTC 
This is a test blocker for scale tests, is any workarounds for this?
Comment 3 Michael Pasternak 2013-03-13 12:16:26 UTC 
(In reply to comment #1)
> This is a test blocker for scale tests, is any workarounds for this?

yes,

1. change web.xml in restapi.war, e.g:

in /jboss-as-.../standalone/deployments/engine.ear/restapi.war/WEB-INF/web.xml

under <web-app> add this section:

<session-config>
  <session-timeout>...</session-timeout>
</session-config>

(note TTL in minutes)

2. restart the jboss
Comment 4 Michael Pasternak 2013-03-14 12:32:49 UTC 
Session TTL can be explicitly set by user now via "Session-TTL:xxx"
HTTP header,

Session-TTL is the time between client requests before the servlet
container will invalidate this session. An interval value of zero
or less indicates that the session should never timeout.

(default TTL is 180 min)
Comment 5 vvyazmin@redhat.com 2013-03-14 14:13:49 UTC 
Thanks. 
Configure in xml session-timeout == 600, my test run with open session 5.37 hours. 
Tested and work OK for me.
Comment 6 Michael Pasternak 2013-03-14 14:17:58 UTC 
(In reply to comment #4)
> Session TTL can be explicitly set by user now via "Session-TTL:xxx"
> HTTP header,
> 
> Session-TTL is the time between client requests before the servlet
> container will invalidate this session. An interval value of zero
> or less indicates that the session should never timeout.
> 
> (default TTL is 180 min)

just a side note that worth mentioning:

in sake of security flows prevention, TTL can be set only during session 
initiation, i.e user has credentials (TTL cannot be changed during the session
live-time)
Comment 7 Michael Pasternak 2013-03-28 08:51:45 UTC 
*** Bug 926931 has been marked as a duplicate of this bug. ***
Comment 8 Leonid Natapov 2013-04-11 09:15:42 UTC 
sf13
Comment 9 Itamar Heim 2013-06-11 08:22:32 UTC 
3.2 has been released
Comment 10 Itamar Heim 2013-06-11 08:24:49 UTC 
3.2 has been released