From 059a90702e454b99490031bd37541304e65d35d2 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Sun, 19 Feb 2012 10:02:38 -0500 Subject: Implement session activity timeout Previously sessions expired after session_auth_duration had elapsed commencing from the start of the session. We new support a "rolling" expiration where the expiration is advanced by session_auth_duration everytime the session is accessed, this is equivalent to a inactivity timeout. The expiration is still constrained by the credential expiration in all cases. The session expiration behavior is configurable based on the session_auth_duration_type. * Reduced the default session_auth_duration from 1 hour to 20 minutes. * Replaced the sesssion write_timestamp with the access_timestamp and update the access_timestamp whenever the session data is created, retrieved, or written. * Modify set_session_expiration_time to handle both an inactivity timeout and a fixed duration. * Introduce KerberosSession as a mixin class to share session duration functionality with all classes manipulating session data with Kerberos auth. This is both the non-RPC login class and the RPC classes. * Update make-lint to handle new classes. * Added session_auth_duration_type config item. * Updated default.conf.5 man page for new session_auth_duration_type item. * Removed these unused config items: mount_xmlserver, mount_jsonserver, webui_assets_dir https://fedorahosted.org/freeipa/ticket/2392 --- ipalib/constants.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'ipalib/constants.py') diff --git a/ipalib/constants.py b/ipalib/constants.py index 899c765fa..3c63739fa 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -109,15 +109,16 @@ DEFAULT_CONFIG = ( # Web Application mount points ('mount_ipa', '/ipa/'), - ('mount_xmlserver', 'xml'), - ('mount_jsonserver', 'json'), # WebUI stuff: ('webui_prod', True), - ('webui_assets_dir', None), + + # Session stuff: # Maximum time before a session expires forcing credentials to be reacquired. - ('session_auth_duration', '1h'), + ('session_auth_duration', '20 minutes'), + # How a session expiration is computed, see SessionManager.set_session_expiration_time() + ('session_duration_type', 'inactivity_timeout'), # Debugging: ('verbose', 0), -- cgit