skoruba
commented
11 months ago Hi @colin-freemarketfx thank you for your feedback. Currently you can setup a lifetime of main application cookie. Let me think about it - I will send you update.
Thanks!
Open colin-freemarketfx opened 11 months ago
skoruba
commented
11 months ago Hi @colin-freemarketfx thank you for your feedback. Currently you can setup a lifetime of main application cookie. Let me think about it - I will send you update.
Thanks!
colin-freemarketfx
commented
11 months ago Thanks @skoruba. I've set 'IdentityAdminCookieExpiresUtcHours' to 12, but I'm finding that I'm still logged in after a weekend away, or sometimes even weeks later.
Is there a different setting I should be looking at?
EDIT: I just navigated to an instance I last logged into yesterday morning, and without logging in again, I was assigned new cookies with a new 12 hour expiry date.
colin-freemarketfx
commented
10 months ago Hi @skoruba , is there some config other than 'IdentityAdminCookieExpiresUtcHours' for this? It seems that when you go back to the site after the expiry time, you just get another cookie with a fresh expiry date?
I don't see anything wrong with the code below. Am I looking in the wrong place?
colin-freemarketfx
commented
10 months ago Hi @skoruba , I finally have some replication steps for this. We have two UI clients running against our Identity instance, and when we log out of the admin, then into our other client, when we navigate back to the admin portal we are signed in.
This is because the cookie same-site settings - when we set strict in our other client, this prevents the 'infinite' session bug. Similarly however, logging into the identity admin portal means that we become logged into our other client, which is not ideal. I see that the cookie settings in the admin portal default to 'Unspecified', with no means to override this. I could take a stab at adding some configuration, but it may not be for some time.
I would also propose elevating the defaults to more secure configurations (i.e. SameSite Strict, HttpOnly true, Secure true) - what do you think? I appreciate this could be disruptive for some, but I believe it's generally better to cause some pain upfront than risk deploying a less-secure application.
skoruba
commented
10 months ago Hi @colin-freemarketfx - sure, let me check it. I will prepare new version soon. Thank you.
Is your feature request related to a problem? Please describe. We have a requirement that users on the admin portal are logged out after 15 minutes of inactivity. I'm not aware of any configuration in the admin portal to set this up - are there any plans to implement a session management feature? Have I missed something?
Describe the solution you'd like A configuration value that can be set to some number of seconds, resulting in a log out of the user when hitting any endpoint after a period of inactivity exceeding this time.
Describe alternatives you've considered I've had a look through the codebase, readme and configuration, I don't see any obvious way to set this up.
Thanks @skoruba