Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1511014 - if your session is idle but left in active tab, you are not logged-out
Summary: if your session is idle but left in active tab, you are not logged-out
Keywords:
Status: CLOSED DUPLICATE of bug 1443505
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Authentication
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: Unspecified
Assignee: Marek Hulan
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-08 14:15 UTC by Jan Hutař
Modified: 2018-04-16 11:55 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-16 11:55:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jan Hutař 2017-11-08 14:15:21 UTC 
Description of problem:
If your session is idle but left in active tab, you are not logged-out


Version-Release number of selected component (if applicable):
satellite-6.3.0-21.0.beta.el7sat.noarch (snap 24)


How reproducible:
always


Steps to Reproduce:
1. For easier testing, Administer -> Settings -> Authentication and set
   "Idle timeout" to 1 (i.e. minute)
2. Open new browser window, login and go to some page which is not
   auto-reloading (dashboard or task status page is usually autoreloading)
3. Put the window to some other desktop so you do not accidentally click at it
   and wait a minute
4. Return to the window and click on something


Actual results:
Notice you were not logged out


Expected results:
You should be redirected to login page
Comment 3 Jan Hutař 2017-11-08 14:19:06 UTC 
Even if this works as expected (well, I assume this regress use-case when admin leaves its workstation unprotected with Satellite WebUI opened), it should be IMO mentioned in some "noticeable changes" of the release notes.
Comment 4 Marek Hulan 2017-11-08 14:32:03 UTC 
Is that a documentation bug or what are we supposed to fix? Should we look into how notification refresh requests could session prolonging?
Comment 5 Jan Hutař 2017-11-09 06:53:54 UTC 
I do not know if this is a product or documentation bug. Depends what is expected behavior. If the loss of "admin forgets about its session so we log him off" use-case is expected, then this is just a docs bug as IMO we should notify about the change.
Comment 6 Roman Plevka 2017-11-09 10:48:47 UTC 
(In reply to Marek Hulan from comment #4)
> Is that a documentation bug or what are we supposed to fix? Should we look
> into how notification refresh requests could session prolonging?

Well, since there is a setting "idle timeout", i would assume it is referring to user idleness, not the pages, so the session should timeout if there is no user interaction for the specified time. This is not happening, since the page keeps talking to satellite using the users session cookie - i would say this is definitely not cool.
I think the same might apply to all the "autoreload" features around webui (e.g. dashboard).
the builtin ajax calls should be excluded from session cookie keep-alives
Comment 7 Marek Hulan 2018-04-16 11:55:21 UTC 
I think this is effectively a duplicate of BZ 1443505 so closing as such. Please reopen if I misunderstood the request. I tested on recent version (1.18) and it logs me out after idle interval even if the tab remains active.

*** This bug has been marked as a duplicate of bug 1443505 ***
Note You need to log in before you can comment on or make changes to this bug.