-
Feature Request
-
Resolution: Duplicate
-
Normal
-
None
-
None
-
False
-
-
False
Feature Overview
[RFE] Add "SESSION_EXPIRE_AT_BROWSER_CLOSE" and "SESSION_SAVE_EVERY_REQUEST" options in controller setting.
Background, and strategic fit
DISA U.S. Federal Government requirement to log user interactive sessions off after 10 minutes of inactivity for the Ansible Automation Platform, which includes both Ansible Private Automation Hub, and Ansible Automation Controller.
The requirement is from the DISA Container Platform Security Requirements Guide, found at:
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Container_Platform_V1R3_SRG.zip
Specifically:
requirement V-233108 - "The application must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity"
This requirement for logging off after inactivity is also mirrored across many other DISA security controls, e.g. the DISA Application Server SRG, as well as similar requirements for other types of services such as apache web server in the Apache Web Server STIG, SSH communications in the DISA Red Hat Enterprise Linux STIG, etc. so this specific security control has precedent in security guidance for other applications and the operating system itself.
Cu researched this particular behavior, and found that in Django (on which both the Pulp for Private Automation Hub and Automation Controller are based) three variables may control this behavior:
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SESSION_COOKIE_AGE = 600
SESSION_SAVE_EVERY_REQUEST = True
For Ansible Automation Controller, SESSION_COOKIE_AGE is a setting available in the Automation Controller list of settings, (from /api/v2/settings/all) and setting it is recognized in Automation Controller and a session will log out after 10 minutes of inactivity – however, SESSION_EXPIRE_AT_BROWSER_CLOSE and SESSION_SAVE_EVERY_REQUEST do not seem to be recognized under Automation Controller. As a result, the interactive session will not expire upon closing the browser window, and also a session will expire after the set time (in this case 600 seconds) regardless of whether the session is in active use at the time, which would be controlled by SESSION_SAVE_EVERY_REQUEST.
- clones
-
AAPRFE-55 [RFE] Add "SESSION_EXPIRE_AT_BROWSER_CLOSE" and "SESSION_SAVE_EVERY_REQUEST" options in controller setting.
- Backlog