Currently UI does not support auto logout, so it is not secure feature.

[skolenkin]

Currently, UI does not support auto-logout, so it is not a secure feature. UI doesn’t support auto-logout based on inactive session detection, for example.

Also please note: If you open a new tab in the browser, the user is not asked for entering login and password. Is it expected?

References: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

boundary version
Version information:
  Git Revision:        d8020842ae8b6c742b94538baada313d7eb52809
  Version Number:      0.1.2

[jorhett]

Not Hashicorp, just offering my own insights:

If you open a new tab in the browser, the user is not asked for entering login and password. Is it expected?

Boundary is allowing a session to connect to a destination service--in context of your question, a web server. Whether or not the web server prompts for a password is a choice made by the web server. And that prompt would be encrypted in the session between the browser and end web server, thus invisible to boundary itself.

EtA: If you mean the Boundary web UI, it uses cookies which are shared between tabs unless you use Private or Anonymous mode in your browser.

[ghost]

Hi there! Boundary frontend engineer here. You are absolutely correct that session idle timeout is essential for security. Boundary enforces idle timeout on the server side, as recommended by OWASP. The default idle timeout is 1 day and you can change this via auth_token_time_to_stale.

If a session times out, the UI will detect this when the user attempts the next action (include read or list).

Thanks for the feedback! Let us know if you have other questions.