Consider adding a maximum lifetime for the session cookie #22
Labels
good first issue
This issue or pull request is well-defined and good for newcomers
improvement
This issue or pull request will add or improve functionality, maintainability, or ease of use
Comments
jsf9k
added
good first issue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
🚀 Feature Proposal
The
SessionMaxAgedirective of Apache'smod_sessionmodule allows us to set a maximum age for an inactive browser session. TheSessionMaxAgeclock is reset every time the session is saved, so the session will not expire as long as the user keeps interacting with Guacamole. But if the user is inactive forSessionMaxAgeseconds then the session is expired and the user must once again present valid Kerberos credentials to continue interacting with Guacamole. The default value (which we are currently using) is zero, which corresponds to no maximum age for sessions.We should consider assigning a maximum session age of, say, one hour or one day.
Motivation
This came up because one of the assessors noticed that he was able to continue interacting with a Guacamole session after his Kerberos credentials expired. That was not surprising, since he presumably still had a valid session cookie, but in writing an email response to him I starting looking at the Apache documentation to determine what the maximum session age was currently set to.
The text was updated successfully, but these errors were encountered: