[SERVER-12418] Add support for session timeouts Created: 21/Jan/14 Updated: 06/Dec/22 Resolved: 24/Sep/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Networking, Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andreas Nilsson | Assignee: | Backlog - Security Team |
| Resolution: | Duplicate | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
Add the option of a server-wide session timeout for authenticated user sessions from the shell and other drivers. The authenticated session would be automatically terminated after the specified time. It could be easily implemented without a timer or extra thread by simply checking the time of the last activity of that specific user when authorizing an action. Default would be timeout = 0 which implies infinite timeout. |
| Comments |
| Comment by Spencer Jackson [ 24/Sep/19 ] |
|
The request for this functionality came up again in |
| Comment by Matt Lord (Inactive) [ 23/Feb/18 ] |
|
Is this still relevant in 3.6+, with the addition of logical session timeouts? If so, we need to clarify what's still missing in the known user stories and use cases. |
| Comment by Andy Schwerin [ 21/Jan/14 ] |
|
The challenge with timeouts is giving a signal to the driver so it knows when to reauthenticate. Getting a "not authorized" message is ambiguous, and can only be resolved by getting the result of connectionStatus on the connection. Instead, the first not-authorized operation after an auth session timeout could return "credentials expired", giving the client driver a chance to transparently reauthenticate. There's still probably more work to do in the driver than in server, though. |