We believe that the best way to build software is to do it in close collaboration with the people who use it. We invite you to submit your ideas using the form below. Please be sure to include the problem for which you are solving and the benefits of implementing the idea.
We do our best to implement as many Ideas as we can. Our Product team will evaluate all submitted ideas in a timely manner and will disposition each into one of the following categories: will integrate into the product roadmap, further research is needed, unlikely to implement.
Thanks for collaborating with us!
Several customers have asked that the Automate2 WebUI 3 minute session timer be user-configurable.
I looked at the output of `chef-automate dev default-config` in Chef Automate 20190501153509 and found no instances of "time" or "session" that were applicable to this case, so the timer value appears to be hardcoded currently.
For the last comment ("logout"), @andrew, please raise a separate idea/issue.
Also close to this "logout" should invalidate an existing WebUI session.
Also requested by a gov't customer, and a major financial and identified as a security vulnerability in multiple reviews.
I have a hacky script to log users out, though I'm not super keen to publish it as it involves deleting the session records in PostgreSQL
Feel free to ping me for the script if you need it for a specific customer.
Ignore the 3 minute thing. That is probably related to firewalls/proxies cutting the connection.
Customers would like to be able to control whatever session timeouts are current hardcoded for SAML, LDAP, local logins.
I also want to add, for LDAP or local users, a user is not logged out unless the session token expires by means of closing the browser window.
Not sure if this relates to the session expiry timer as I've never been logged out after 3 mins.
The docs at https://automate.chef.io/docs/ldap/#authentication-via-existing-identity-management-systems say that SAML users get 24h, and there is no specified time for LDAP/AD and Local users.
Looking at session cookies, it seems they expire in 24h, but get refreshed on any pages that auto update. Not sure how this is reflected in the A2 session table.
Practical tests show I can stay logged in to A2 for more than 24h without interacting with the page.