Insufficient Session Expiration - Low

[enekofb]

What Lack of proper session expiration

Why The lack of proper session expiration may improve the likely success of certain attacks. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID.

Recommendation Invalidate user JWT token after log-out, and after a fixed amount of time without receiving a valid request from the logged in user.

Acceptance Criteria

• Based on the recommendations, ensure that the finding is addressed for Weave gitops OSS and EE.

More info

• See epic for full context
• See validation comment https://github.com/weaveworks/weave-gitops-enterprise/issues/1966#issuecomment-1329444818

[enekofb]

See comments from

@davidstauffer https://weaveworks.slack.com/archives/C03QNK53W68/p1669300686921979?thread_ts=1669298479.965169&cid=C03QNK53W68 and

@bigkevmcd in https://weaveworks.slack.com/archives/C03QNK53W68/p1669828001783499?thread_ts=1669298479.965169&cid=C03QNK53W68