Chef Ideas

For the last comment ("logout"), @andrew, please raise a separate idea/issue.

Also close to this "logout" should invalidate an existing WebUI session.

Also requested by a gov't customer, and a major financial and identified as a security vulnerability in multiple reviews.

I have a hacky script to log users out, though I'm not super keen to publish it as it involves deleting the session records in PostgreSQL

Feel free to ping me for the script if you need it for a specific customer.

Ignore the 3 minute thing. That is probably related to firewalls/proxies cutting the connection.

Customers would like to be able to control whatever session timeouts are current hardcoded for SAML, LDAP, local logins.

I also want to add, for LDAP or local users, a user is not logged out unless the session token expires by means of closing the browser window.

Not sure if this relates to the session expiry timer as I've never been logged out after 3 mins.

The docs at https://automate.chef.io/docs/ldap/#authentication-via-existing-identity-management-systems say that SAML users get 24h, and there is no specified time for LDAP/AD and Local users.

Looking at session cookies, it seems they expire in 24h, but get refreshed on any pages that auto update. Not sure how this is reflected in the A2 session table.

Practical tests show I can stay logged in to A2 for more than 24h without interacting with the page.