Chef Ideas

We believe that the best way to build software is to do it in close collaboration with the people who use it. We invite you to submit your ideas using the form below. Please be sure to include the problem for which you are solving and the benefits of implementing the idea.

We do our best to implement as many Ideas as we can. Our Product team will evaluate all submitted ideas in a timely manner and will disposition each into one of the following categories: will integrate into the product roadmap, further research is needed, unlikely to implement.

Thanks for collaborating with us!

A2 configurable webUI session timer

Several customers have asked that the Automate2 WebUI 3 minute session timer be user-configurable.

I looked at the output of `chef-automate dev default-config` in Chef Automate 20190501153509 and found no instances of "time" or "session" that were applicable to this case, so the timer value appears to be hardcoded currently.

  • Sean Horn
  • May 10 2019
  • Completed
  • Attach files
  • Admin
    Ankur Mundhra commented
    19 May 08:20am

    For the last comment ("logout"), @andrew, please raise a separate idea/issue.

  • Andrew Dufour commented
    28 Jan 02:25am

    Also close to this "logout" should invalidate an existing WebUI session.

  • Andrew Dufour commented
    28 Jan 02:21am

    Also requested by a gov't customer, and a major financial and identified as a security vulnerability in multiple reviews.

  • Admin
    Richard Nixon commented
    20 Apr, 2020 10:45am

    I have a hacky script to log users out, though I'm not super keen to publish it as it involves deleting the session records in PostgreSQL

    Feel free to ping me for the script if you need it for a specific customer.

  • Sean Horn commented
    17 Apr, 2020 06:26pm

    Ignore the 3 minute thing. That is probably related to firewalls/proxies cutting the connection.

    Customers would like to be able to control whatever session timeouts are current hardcoded for SAML, LDAP, local logins.

  • Natalie Fisher commented
    15 Apr, 2020 06:00pm

    I also want to add, for LDAP or local users, a user is not logged out unless the session token expires by means of closing the browser window.

  • Admin
    Richard Nixon commented
    11 Feb, 2020 02:59pm

    Not sure if this relates to the session expiry timer as I've never been logged out after 3 mins.

     

    The docs at https://automate.chef.io/docs/ldap/#authentication-via-existing-identity-management-systems say that SAML users get 24h, and there is no specified time for LDAP/AD and Local users.

     

    Looking at session cookies, it seems they expire in 24h, but get refreshed on any pages that auto update. Not sure how this is reflected in the A2 session table.

     

    Practical tests show I can stay logged in to A2 for more than 24h without interacting with the page.