Closed jonnalley closed 11 months ago
The majority of this is already done in other stories/tasks (i.e. #447 ) but cleanup and refinement of the processes including any logging and auditing.
For a moderate-level system, we're only required to do 30 minutes. Not sure where 15 came in?
NIST 800-53 AC-12 and IA-11
There is a note in the code, probably from Tim: FedRAMP AC-12 Control is 15 min
@xlorepdarkhelm yeah that's not accurate. AC-12 as selected and specified by HHS/ACF for FISMA moderate systems is 30 minutes.
@xlorepdarkhelm now that this is merged, will you please check off DoD ?
So I think this is technically working from my limited testing. However, I have a question, is it possible to actually redirect the user to /login
when this inactivity time has been reached ?
Otherwise, the UX is not so great and they just get 400 errors on anything they click on and even the blue button in the upper-right implies they're still signed in.
That is part of what Tim is working on.
9/11
User Story
As an OPS System Admin, I want to user sessions to expire after 30 minutes of inactivity so that the application can be compliant with requisite controls.
Acceptance Criteria
Tasks
Definition of Done Checklist
Additional Context & Resources