Bug 1397571 - Implement session timeout in web interface [NEEDINFO]
Summary: Implement session timeout in web interface
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 3.9.0
Assignee: Jessica Forrester
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-22 20:38 UTC by Michael Epley
Modified: 2021-06-10 11:41 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-19 15:12:57 UTC
Target Upstream Version:
erich: needinfo? (mepley)

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Michael Epley 2016-11-22 20:38:11 UTC 
Description of problem:

Openshift's web interface should periodically check the user's current logged in user to ensure the sesssion token is still valid. On invalidation, the session should expire and the user interface should be redirected to the login page (or other destination). This is a requirement of NIST 800-53 AC-11(1).

Version-Release number of selected component (if applicable):

OCP 3.3

How reproducible:

Perfectly; this is not a current capability of openshift.

Steps to Reproduce:
1. Access the web interface of an OCP cluster configured via default settings.
2. Log into the web interface; leave the web interface up.
3. Wait 24 hours.

Actual results:

The web interface is still displayed.

Expected results:

The user is automatically logged out (and their session expired) of the web interface after a (configurable) period of inactivity -- a default of 15 minutes is ideal. The user should be redirected to the login web page.

Additional info:
Comment 4 Steve Speicher 2018-01-19 15:40:52 UTC 
Correction, this is coming in 3.9. Wrong trello card was linked.
Note You need to log in before you can comment on or make changes to this bug.