Nova supprot multiple way console proxy servers to provide a secure way to expose guest graphical and serial consoles in a cloud environment.

by design the novnc and other console use a heartbeat to ensure that console session that are actively used are not timed out. While this default behavior improves the end user UX it can also weaken security in some cases as there is no way to force the session to expire today.

This epic tracks desginsn a way to enable enforcement of the session experation when the session token expires and potitally providing a new instance action to force expire any active sessions on a given VM.

This can be useful to ensure that employees that were terminated are unable to gains access via a console session or for other security usecases such as suspected session based attacks.

this epic does not prespibe the exact way to achieve this as we need to design this upstream with the community but an initial look at the the common proxy code suggest that there are two possible approaches.

first we can attach a timer to the console websocket to expire it on session token experation.

second we could add an rpc method to allow expiring the websocket associated with a given console session token.

looking at both libvirt and novnc neither currently support this nativly so this would required code development in nova if we proceed with this feature.