Improve session idle timeout, add session lifespan #49855
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jportner
changed the title
jportner
changed the title
💔 Build Failed |
💔 Build Failed |
jportner
force-pushed
the
issue-18566-absolute-session-timeout
branch
4 times, most recently
from
1b2e61e
to
20298ea
Compare
💔 Build Failed |
💔 Build Failed |
jportner
force-pushed
the
issue-18566-absolute-session-timeout
branch
3 times, most recently
from
0959914
to
b80b0e3
Compare
💚 Build Succeeded |
|
Note to reviewers: two commits (e143e48 and 7bc88ed) are concerned with how to define special routes which should not extend a user's session. After I wrote this code, @azasypkin pointed out to me that we have an existing mechanism ( Despite its name, this uses an HTTP request header to determine whether to extend a session or not. We both agree that this mechanism could use another look, and perhaps could be rewritten (such as the static route-based options that I defined in the two commits above). However, in the spirit of separation of concerns and making this PR a bit lighter, I opted to defer any such change/s to sometime in the future. So, I reverted these two commits, but left them in the history in the PR for future reference. |
jportner
commented
Nov 5, 2019
jportner
commented
Nov 5, 2019
jportner
commented
Nov 5, 2019
💚 Build Succeeded |
jportner
force-pushed
the
issue-18566-absolute-session-timeout
branch
from
1f3bc81
to
a79bc07
Compare
jportner
changed the title
jportner
force-pushed
the
issue-18566-absolute-session-timeout
branch
from
a79bc07
to
f92f629
Compare
jportner
commented
Nov 7, 2019
…bsolute-session-timeout
💚 Build Succeeded |
Previously, the lifespan warning would flash on a user's screen every time they clicked a link, because that would result in an API call to get updated session info. Added a check to prevent that from happening.
💚 Build Succeeded |
legrego
reviewed
Nov 25, 2019
x-pack/legacy/plugins/security/public/hacks/on_session_timeout.js
Outdated
Show resolved
Hide resolved
legrego
reviewed
Nov 25, 2019
💚 Build Succeeded |
💚 Build Succeeded |
legrego
approved these changes
Nov 26, 2019
…bsolute-session-timeout
💚 Build Succeeded |
jportner
added a commit
to jportner/kibana
that referenced
this pull request
Nov 26, 2019
This adds an absolute session timeout (lifespan) to user sessions. It also improves the existing session timeout toast and the overall user experience in several ways.
jportner
added a commit
that referenced
this pull request
Nov 26, 2019
azasypkin
reviewed
Nov 28, 2019
2 tasks
This was referenced Dec 9, 2019
timductive
pushed a commit
to timductive/kibana
that referenced
this pull request
Dec 16, 2019
This adds an absolute session timeout (lifespan) to user sessions. It also improves the existing session timeout toast and the overall user experience in several ways.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The core purpose of this PR is to add an absolute timeout, or "lifespan", to user sessions. To facilitate this, changes needed to be made to the existing session idle timeout functionality.
If a lifespan is defined, sessions will expire at that point in time. If an idle timeout is also defined, then sessions can be extended up to the end of that lifespan. When a user is about to reach the end of their session lifespan, they will see a warning toast similar to the existing one for idle session timeout.
Changes to existing functionality are primarily on the client-side. Before, the client was completely unaware of when its session would actually expire -- it would just estimate this based on the injected config values. Now, the client fetches this information from an API, and shares this across tabs to synchronize the timers to all of them. This results in a much better user experience where these popups behave more logically, and one open tab will not erroneously log users out when the session has been extended in another tab.
Deprecates config option
xpack.security.sessionTimeout, the new name isxpack.security.session.idleTimeoutto better reflect its function.Adds config option
xpack.security.session.lifespanto control the session lifespan.Note: there is a known bug, #22440, that prevents the session expiration message from showing on multiple tabs. That is partially addressed in this PR (for the
basicandtokenauth providers), but it will need to be fully addressed in a separate PR.Resolves #18566.
Resolves #48859.
Screenshots
All warnings and messages now display on multiple tabs.
Added new session lifespan warning with progress indicator and countdown timer:
Modified existing session idle timeout warning to match:
Logout messages now display on all tabs when using
basicortokenauth providers:Checklist
Use
strikethroughsto remove checklist items you don't feel are applicable to this PR.[ ] This was checked for keyboard-only and screenreader accessibilityFor maintainers