Site admin can require re-authentication every few minutes

[larsyencken]

Problem

Our site admin at https://admin.owid.io/ uses GSuite login tied to our org, as the previous version at https://owid.cloud/ did. However, for some people, at some periods of time, it requires re-authentication too frequently (e.g. within 30 minutes).

Expected behaviour

Once authenticated, you should remain authenticated for at minimum a whole day, probably longer like a week or a month.

[larsyencken]

It's been reported by Hannah, and by Ed, but seems resolved for them both now. @Marigold could not replicate it.

@pabloarosado is experiencing it at the moment.

[Marigold]

Link to slack thread. This seems to have helped

Could you maybe try deleting all admin cookies? Go to chrome://settings/content/all, search for owid.io and delete all cookies and then do the same for owid.cloud?

[Marigold]

I've increased Session duration from 15 min to 1 week in Cloudflare Access (we always had those 15 min, I reused the same Cloudflare Access application for the new admin URL)

[danyx23]

@mlbrgl wants to review some notes on whether there is a reason to have the CF Access setting at 15 minutes.

I'll close this issue in the meantime but please either Matthieu reopen it if there is a reason not to do this or anyone else reopen it if this happens again.

[mlbrgl]

The justification for the 15 min can be found here. Longer means increasing risk while shorter (0, immediate expiry) means that auth is not possible using the fallback login flow.

I would recommend reverting the application session duration to 15 min, and setting the global session duration to 1 week instead. This gives us longer session durations without increasing the risk in case an app token gets compromised.

The user can access the application for the entire duration of the application token’s lifecycle. When the application token expires, Cloudflare will automatically issue a new application token if the global token is still valid (and the user’s identity still passes your Access policies). If the global token has also expired, the user will be prompted to re-authenticate with the IdP.

The global token expiration is usually set to equal or exceed the application token expiration. Setting a longer global token provides a more secure way to allow for longer user sessions, since the global token cannot be used to directly access an application.

See cloudflare docs

[Marigold]

Thanks for the research, @mlbrgl. I have set it as per your advice. Closing this now; we can reopen it if there are further re-authentication issues.