The SessionMaxAge directive of Apache's mod_session module allows us to set a maximum age for an inactive browser session. The SessionMaxAge clock is reset every time the session is saved, so the session will not expire as long as the user keeps interacting with Guacamole. But if the user is inactive for SessionMaxAge seconds then the session is expired and the user must once again present valid Kerberos credentials to continue interacting with Guacamole. The default value (which we are currently using) is zero, which corresponds to no maximum age for sessions.
We should consider assigning a maximum session age of, say, one hour or one day.
Motivation
This came up because one of the assessors noticed that he was able to continue interacting with a Guacamole session after his Kerberos credentials expired. That was not surprising, since he presumably still had a valid session cookie, but in writing an email response to him I starting looking at the Apache documentation to determine what the maximum session age was currently set to.
🚀 Feature Proposal
The
SessionMaxAgedirective of Apache'smod_sessionmodule allows us to set a maximum age for an inactive browser session. TheSessionMaxAgeclock is reset every time the session is saved, so the session will not expire as long as the user keeps interacting with Guacamole. But if the user is inactive forSessionMaxAgeseconds then the session is expired and the user must once again present valid Kerberos credentials to continue interacting with Guacamole. The default value (which we are currently using) is zero, which corresponds to no maximum age for sessions.We should consider assigning a maximum session age of, say, one hour or one day.
Motivation
This came up because one of the assessors noticed that he was able to continue interacting with a Guacamole session after his Kerberos credentials expired. That was not surprising, since he presumably still had a valid session cookie, but in writing an email response to him I starting looking at the Apache documentation to determine what the maximum session age was currently set to.