MAAS

UI authentication session is not expiring

Bug #1852745 reported by Vladimir Grevtsev on 2019-11-15

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Fix Released	Medium	Unassigned	MAAS 3.4.1
	maas-ui	Invalid	Undecided	Unassigned

Bug Description

One of our customers made a pentesting assessment and the following recommendations were issued:

- Set session timeout to the minimal value possible depending on the context of the application.
- Avoid "infinite" session timeout.

Currently, authenticated sessions are remaining active indefinitely after their last use. If an authenticated user were to leave a browser window open without explicitly logging out of the application, another person may be able to resume that user's session several hours later simply by browsing to the MAAS UI on the same computer.

Related branches

~ack/maas:websocket-check-expired-sessions

Merged into maas:master

Adam Collard (community): Approve on 2023-03-10

MAAS Lander: Approve on 2023-03-10

Newell Jensen (newell-jensen) on 2019-11-15

Changed in maas:
status:	New → Triaged
importance:	Undecided → High
tags:	added: ui

Lilyana Videnova (lilyanavidenova) on 2019-11-21

Changed in maas:
assignee:	nobody → Kit Randel (blr)

Huw Wilkins (huwshimi) on 2019-11-26

tags:	added: api removed: ui
Changed in maas:
assignee:	Kit Randel (blr) → nobody

Bug Watch Updater (bug-watch-updater) on 2020-06-03

Changed in maas-ui:
status:	Unknown → New

Revision history for this message

Huw Wilkins (huwshimi) wrote on 2020-06-15:

The session cookie is created by Django which also dictates the cookie expiry (in fact the cookie has HttpOnly so can't be accessed by JavaScript).

I think the expiry can be controlled by SESSION_COOKIE_AGE:

https://docs.djangoproject.com/en/3.0/ref/settings/#session-cookie-age

Changed in maas-ui:
importance:	Unknown → Undecided
status:	New → Invalid

Adam Collard (adam-collard) on 2022-09-28

tags:

removed: api

Revision history for this message

Jerzy Husakowski (jhusakowski) wrote on 2022-12-15:

An upcoming release of MAAS will allow users to specify session timeout. Let's re-test this issue on that release.

Changed in maas:
importance:	High → Medium
milestone:	none → 3.4.0

Alberto Donato (ack) on 2023-06-29

Changed in maas:
milestone:	3.4.0 → 3.4.x

Anton Troyanov (troyanov) on 2024-03-05

Changed in maas:
milestone:	3.4.x → 3.5.x

Revision history for this message

Anton Troyanov (troyanov) wrote on 2024-03-15:

https://code.launchpad.net/~ack/maas/+git/maas/+merge/438669

commit a69b8a3f58d65aba92d788c8e89aaf38e1258a93
Author: Alberto Donato <email address hidden>
Date: Fri Mar 10 15:01:42 2023 +0000

periodically check and disconnect expired websocket sessions

❯ git tag --contains a69b8a3f58d65aba92d788c8e89aaf38e1258a93
3.4.0
3.4.0-beta1
3.4.0-beta2
3.4.0-beta3
3.4.0-rc1
3.4.0-rc2
3.5.0-beta1

no longer affects:	maas/3.4
Changed in maas:
milestone:	3.5.x → 3.4.x
status:	Triaged → Fix Released

Alexsander de Souza (alexsander-souza) on 2024-03-18

Changed in maas:
milestone:	3.4.x → 3.4.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.