On Thu, Jan 18, 2024 at 1:03 AM anoop yadav <[email protected]> wrote:
> I am trying to build a Web app where users can create multiple Ubuntu > instances and use them through my web app. The domain for my web app is > example-app.com which is written in reactjs. I have hosted guacamole > clients on separate subdomains lab.example-app.com. > > In the reactjs app, I am using the Iframe (Not sure if there is any other > way) to show lab.example-app.com (guacamole client app), since I don't > want the user to do another login on the guacamole app. I am planning to > use a token. My current logic is as follows: > > 1. When the user creates an account (the backend is in Django-python) I > make a rest API request to create an account, get a token from guacamole > and save it to the web app database. > 2. When the user creates an Ubuntu instance, using the rest API I create a > connection and associate the user with it. I save a URL like > lab.example-app.com/guacamole/#/client/<CONNECTION>?token=<TOKEN> > > > Everything works fine, the user can access multiple connections but since > the token has a lifetime, and after that time the URL is not working. > > To be clear, the token does not have a lifetime, it has an *idle lifetime* - that is, it times out after a certain period of inactivity. As long as the Guacamole instance is being used - for an active connection, for example - the token will remain valid. > > How do I manage the token so that it doesn't expire? > You can set the api-session-timeout property in guacamole.properties to adjust the *idle lifetime* of the token - see https://guacamole.apache.org/doc/gug/configuring-guacamole.html#guacamole-properties . That said, I don't think you really want it to never expire - at least, from a security perspective, I would not recommend that, even if you're doing some other cleanup of the tokens from your web application. You may want to extend it such that it more closely fits in with your use case, but setting it to either never expire (which isn't really possible) or even a very long idle time just adds security risk to the application. -Nick
