Critical It seems that Quay is not obeying directives related to session timeout and session permanence from the config.yaml file. After setting the following:
SESSION_TIMEOUT: "1m" FEATURE_PERMANENT_SESSIONS: false FRESH_LOGIN_TIMEOUT: "1m"
we still see CSRF tokens having a 31 day timeout:
set-cookie: _csrf_token=.eJxVkEtP20AURv-KNetYmtcde7wDAVFIG0AJAbyx5nHHdlrnMbbTNIj_3kRVF11-m6PvnE9SuT6Gatj9wC0pyOzUr1QzLOjT75t3fyvL-Wr2-vwaxjrM6xJvPspns7t_sqf5r2EzFeHQPS7fZUzl4vgwOx8YmZAqROwbUgxxxMtq_QVrhbeKq8yhkaAEz502QBlomzOJgdM8z03uuaHAvPDUOrSQZQZBizxIZTJhlJVS-9xrnvOgAJAKxzKOijJNs8DBUTRcaOYkk94iQOYBqJIO4HprZ8ah-d-W1StzN9bl6dwd-dt-2kQ8xXJ527_pcjme6_WevTR3eHB6M_u47zfr5aJblyl8G9yL67C_YvcYO7PF7fDP2Jn94BpTHTG2ocWLPp2Qn7u63VZD2yEpPklybfIQ20nCVPI4bhNOuUiYLGhecJ1Mv6_I14SMPca_-aiQxgnjU50JlkoGNLUCZMoyRcGDsZxq8vUHaWyMjA.ZIxs3Q.ujkrIDmIYmjCQFiwJ9iDM6n62xc; Expires=Mon, 17-Jul-2023 14:08:29 GMT; Secure; HttpOnly; Path=/; SameSite=Lax
Even if I set permanent sessions to true, the result is still the same.
It seems that this function is responsible for session length and CSRF token setup:
https://github.com/quay/quay/blob/6ed66a8ee18425e69445b03adcc0f8f85ef5f4b6/endpoints/common.py#L29
Auth provider is LDAP.
