Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-708

[RFE] Add "SESSION_EXPIRE_AT_BROWSER_CLOSE" and "SESSION_SAVE_EVERY_REQUEST" options in controller setting.

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Duplicate
    • Icon: Normal Normal
    • None
    • None
    • controller
    • False
    • Hide

      None

      Show
      None
    • False

      Feature Overview

      [RFE] Add "SESSION_EXPIRE_AT_BROWSER_CLOSE" and "SESSION_SAVE_EVERY_REQUEST" options in controller setting.

      Background, and strategic fit

      DISA U.S. Federal Government requirement to log user interactive sessions off after 10 minutes of inactivity for the Ansible Automation Platform, which includes both Ansible Private Automation Hub, and Ansible Automation Controller.

      The requirement is from the DISA Container Platform Security Requirements Guide, found at:
      https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Container_Platform_V1R3_SRG.zip

      Specifically:
      requirement V-233108 - "The application must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity"

      This requirement for logging off after inactivity is also mirrored across many other DISA security controls, e.g. the DISA Application Server SRG, as well as similar requirements for other types of services such as apache web server in the Apache Web Server STIG, SSH communications in the DISA Red Hat Enterprise Linux STIG, etc. so this specific security control has precedent in security guidance for other applications and the operating system itself.

      Cu researched this particular behavior, and found that in Django (on which both the Pulp for Private Automation Hub and Automation Controller are based) three variables may control this behavior:
      SESSION_EXPIRE_AT_BROWSER_CLOSE = True
      SESSION_COOKIE_AGE = 600
      SESSION_SAVE_EVERY_REQUEST = True

       For Ansible Automation Controller, SESSION_COOKIE_AGE is a setting available in the Automation Controller list of settings, (from /api/v2/settings/all) and setting it is recognized in Automation Controller and a session will log out after 10 minutes of inactivity – however, SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_SAVE_EVERY_REQUEST do not seem to be recognized under Automation Controller. As a result, the interactive session will not expire upon closing the browser window, and also a session will expire after the set time (in this case 600 seconds) regardless of whether the session is in active use at the time, which would be controlled by SESSION_SAVE_EVERY_REQUEST.

            bcoursen@redhat.com Brian Coursen
            rhn-support-pghadge Prakash Ghadge
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: