Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-693

Valid login session length should be configurable

    XMLWordPrintable

Details

    Description

      Currently, 3scale login session is fixed to 2 weeks and is not changeable. However, the length of the valid session should be configurable.

      These session aspects should be customizable for the developer and for the admin portal:
      1. Session Inactivity Timeout value
      2. Session Maximum Timeout value

      Dev Notes

      -Should there be a maximum allowed value? Not needed. The defaults would be the ones we have right now and it will be up to the customer to define reasonable timeout values. 

      • From comments below from Product, this issue will be done for on-prem only.
      • From this comment, it seems we should set an upper limit, if the security issue is for when the session timeout is too long:

        This security issue pops up in every penetration and security testing performed. Too long Inactivity Timeout and Max Session Timeout values provide threat actors more opportunities for session highjacking.

      UX notes

      Where shall we allow this for the admin portal? At the master level?

      Documentation notes

      Set user_sesion_ttl in settings.yml as seconds - something like 7200 (would mean 2 hours). In case value is not set (null) or the empty string, then the default of 2 weeks is used.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              yharada_jira Yoko Harada (Inactive)
              Aleksandar Kostadinov Aleksandar Kostadinov
              Matej Dujava Matej Dujava
              Votes:
              2 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: