Add session lifespan, rename sessionTimeout to session.idleTimeout

Extending sessions works properly. Still TODO: * Add sessionInfo endpoint to allow clients to fetch info * Modify UI to change the existing idle timeout notification, and add another one for exceeding the lifespan
elastic · Nov 5, 2019 · 3edd0bc · 3edd0bc
1 parent edd7a70
commit 3edd0bc
Show file tree

Hide file tree

Showing 13 changed files with 362 additions and 53 deletions.
diff --git a/docs/settings/security-settings.asciidoc b/docs/settings/security-settings.asciidoc
@@ -47,7 +47,13 @@ is set to `true` if `server.ssl.certificate` and `server.ssl.key` are set. Set
 this to `true` if SSL is configured outside of {kib} (for example, you are
 routing requests through a load balancer or proxy).
 
-`xpack.security.sessionTimeout`::
+`xpack.security.session.idleTimeout`::
 Sets the session duration (in milliseconds). By default, sessions stay active
-until the browser is closed. When this is set to an explicit timeout, closing the
-browser still requires the user to log back in to {kib}.
+until the browser is closed. When this is set to an explicit idle timeout, closing
+the browser still requires the user to log back in to {kib}.
+
+`xpack.security.session.lifespan`::
+Sets the maximum duration (in milliseconds), also known as "absolute timeout". By
+default, a session can be renewed indefinitely. When this value is set, a session
+will end once its lifespan is exceeded, even if the user is not idle. Note, if
+`idleTimeout` is not set, this setting will still cause sessions to expire.
diff --git a/src/dev/build/tasks/os_packages/docker_generator/resources/bin/kibana-docker b/src/dev/build/tasks/os_packages/docker_generator/resources/bin/kibana-docker
@@ -179,7 +179,8 @@ kibana_vars=(
  xpack.security.enabled
  xpack.security.encryptionKey
  xpack.security.secureCookies
- xpack.security.sessionTimeout
+ xpack.security.session.timeout
+ xpack.security.session.lifespan
  telemetry.enabled
 )
 

diff --git a/x-pack/legacy/plugins/security/index.js b/x-pack/legacy/plugins/security/index.js
@@ -45,7 +45,10 @@ export const security = (kibana) => new kibana.Plugin({
  enabled: Joi.boolean().default(true),
  cookieName: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
  encryptionKey: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
- sessionTimeout: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
+ session: Joi.object({
+ idleTimeout: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
+ lifespan: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
+ }).default(),
  secureCookies: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
  authorization: Joi.object({
  legacyFallback: Joi.object({
@@ -59,9 +62,10 @@ export const security = (kibana) => new kibana.Plugin({
  }).default();
  },
 
- deprecations: function ({ unused }) {
+ deprecations: function ({ rename, unused }) {
  return [
  unused('authorization.legacyFallback.enabled'),
+ rename('sessionTimeout', 'session.idleTimeout'),
  ];
  },
 
@@ -104,7 +108,10 @@ export const security = (kibana) => new kibana.Plugin({
 
  return {
  secureCookies: securityPlugin.config.secureCookies,
- sessionTimeout: securityPlugin.config.sessionTimeout,
+ session: {
+ idleTimeout: securityPlugin.config.session.idleTimeout,
+ lifespan: securityPlugin.config.session.lifespan,
+ },
  enableSpaceAwarePrivileges: server.config().get('xpack.spaces.enabled'),
  };
  },

diff --git a/x-pack/legacy/plugins/security/public/views/login/login.tsx b/x-pack/legacy/plugins/security/public/views/login/login.tsx
@@ -20,6 +20,9 @@ const messageMap = {
  SESSION_EXPIRED: i18n.translate('xpack.security.login.sessionExpiredDescription', {
  defaultMessage: 'Your session has timed out. Please log in again.',
  }),
+ SESSION_ENDED: i18n.translate('xpack.security.login.sessionEndedDescription', {
+ defaultMessage: 'Your session has exceeded the maximum time limit. Please log in again.',
+ }),
  LOGGED_OUT: i18n.translate('xpack.security.login.loggedOutDescription', {
  defaultMessage: 'You have logged out of Kibana.',
  }),

diff --git a/x-pack/legacy/plugins/xpack_main/public/services/xpack_session_data.js b/x-pack/legacy/plugins/xpack_main/public/services/xpack_session_data.js
@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+const XPACK_SESSION_DATA_KEY = 'xpackMain.sessionData';
+
+export const xpackSessionData = {
+ get() {
+ return sessionStorage.getItem(XPACK_SESSION_DATA_KEY);
+ },
+ set(updatedXPackSessionData) {
+ sessionStorage.setItem(XPACK_SESSION_DATA_KEY, updatedXPackSessionData);
+ },
+ clear() {
+ sessionStorage.removeItem(XPACK_SESSION_DATA_KEY);
+ }
+};
diff --git a/x-pack/plugins/security/public/plugin.ts b/x-pack/plugins/security/public/plugin.ts
@@ -23,7 +23,7 @@ export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPlugi
  const sessionExpired = new SessionExpired(basePath);
  http.intercept(new UnauthorizedResponseHttpInterceptor(sessionExpired, anonymousPaths));
  const sessionTimeout = new SessionTimeout(
- injectedMetadata.getInjectedVar('sessionTimeout', null) as number | null,
+ injectedMetadata.getInjectedVar('session.idleTimeout', null) as number | null,
  notifications,
  sessionExpired,
  http