Bug 661508 - (RFE) Allow user-configurable period of inactivity after which authenticated session will timeout in luci
Summary: (RFE) Allow user-configurable period of inactivity after which authenticated ...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: luci
Version: 14
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jan Pokorný [poki]
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 660446
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-08 21:26 UTC by Jan Pokorný [poki]
Modified: 2011-08-18 15:47 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-12-13 19:36:04 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 660446 0 medium CLOSED Luci package neither well maintainable wrt external files (cross-references, values integrity etc.) nor it forms compact... 2021-02-22 00:41:40 UTC

Internal Links: 660446

Description Jan Pokorný [poki] 2010-12-08 21:26:29 UTC 
Current state
-------------
Commit
http://git.fedorahosted.org/git/?p=luci.git;a=commit;h=cef6da6fd7b45db6554af6a1e398a1fe4694b166
camed with "force idle sessions to timeout after 15 minutes of inactivity"
settings for auth_tkt authentication plugin (via repoze.who middleware which
auth_tkt is a part of)

But it has a drawback as additional configuration options used for that are
supported by repoze.who >= 2.0.14 and if older version is used, it leads to
fail in combination with them (unfortunately, this middleware is not designed
to support this kind of backward compatibility).


What to change
--------------
Due to previously stated, it would be reasonable to maintain this backward
compatibility (at least for some time) with repoze.who before 2.0.14
(which could be arranged easily by wrapping the creation of auth_tkt
plugin, trying it with all available parameters and if it fails, trying
with limited parameters supported by repoze.who before 2.0.14).

Apparently, the more important change is to allow user to customize
this idle session timeout.
Comment 1 Jan Pokorný [poki] 2010-12-08 21:27:32 UTC 
Note: this was fixed in the context of work on pkg-update upstream
      branch which means the fix ties closely to the major change
      brought from this branch into main-line upstream code
      in connection with bug #660446
Comment 2 Jan Pokorný [poki] 2010-12-08 22:05:28 UTC 
Commit http://git.fedorahosted.org/git/?p=luci.git;a=commit;h=3b02c9c01aabace3dbb173206937ac6a5d1a2fbd addresses this bug.
Comment 3 Jan Pokorný [poki] 2010-12-11 11:58:04 UTC 
To test this, basically this sequence (made after installation) will serve its
purpose:
Comment 4 Jan Pokorný [poki] 2010-12-11 12:15:49 UTC 
...

note: following is applicable only if python-repoze-who >= 2.0.14 is
      installed -- otherwise a simple check that luci works as usual when
      (re)started could be perfomed (to ensure that backward compatibility
      with       older versions of python-repoze-who is kept)

1. edit /etc/sysconfig/luci -> uncomment "who.auth_tkt_timeout"
   configuration item and set the period (in sec) of authenticated
   session inactivity before the session in invalidated -- this
   will be the main subject of the test
2. (re)start luci, log in and keep the page open for slightly longer
   time then defined in the step 1.
3. reload the page (e.g. by F5) and see if you have been logged out

To ensure that this configuration item is really taken into account
(and not the default value which is currently 900 sec) the test should be
repeated with a measurable different period set.
Note You need to log in before you can comment on or make changes to this bug.