[jira] [Commented] (QPID-7034) Inactive web management console session not automatically timed-out

Wed, 16 Aug 2017 01:41:48 -0700 

    [ 
https://issues.apache.org/jira/browse/QPID-7034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16128492#comment-16128492
 ] 

Keith Wall commented on QPID-7034:
----------------------------------

The change made allows an absolute expiry to be applied to a *HTTP session*, 
which I think is sufficient to answer the immediate requirement.  

However, it strikes me that the current model is not ideal.   I think in the 
long term the constraint needs to be applied equally to both interactive HTTP 
management sessions and AMQP management sessions.  Also for use-cases where the 
virtualhost is the unit being managed, the configuration should be shared 
amongst the nodes of the group and be applied no matter where the current 
mastership resides, without the need to keep Broker configuration is synch.

Perhaps the Broker model should allow constraints such as these to be 
associated with a profile.  Profiles would then be associated with a group and 
applied as users logon.  Profiles would need to children of both Broker and 
Virtualhost.    Typical configuration might be that an operator group had a 
profile with an absoluteSessionTimeout of say 30mins.   The profile associated 
with an application messaging group might have no absoluteSessionTimeout at all.
 



> Inactive web management console session not automatically timed-out
> -------------------------------------------------------------------
>
>                 Key: QPID-7034
>                 URL: https://issues.apache.org/jira/browse/QPID-7034
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Broker
>            Reporter: Keith Wall
>             Fix For: qpid-java-broker-7.0.0
>
>
> If as an operator, I have an session open on the web management console, the 
> session should expire and I should be forced to reauthenticate if I don't use 
> the application for a period of time.
> This currently doesn't happen.  Web Management correctly establishes a HTTP 
> session timeout, but the session is kept alive by the regular polls the 
> client side makes to the server.  This is sufficient to keep the session 
> alive and means the user is never automatically logged out.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to