Thanks for pointing that out, I will update the logic to update the user token when the user tries to connect to the Ubuntu instance rather than during account creation (I can also add the check if the last token was generated within 60 min so don't generate a new token etc), but I have a question if the user already has a previous connection active on a different instance with previous token and he connects to a new instance on a new tab and get the new token will his previous connection get disconnected automatically? (If he refreshes the page he will get the new token from the web app, but will his previous connection get force disconnected).
On Thu, Jan 18, 2024 at 5:10 PM Nick Couchman <vn...@apache.org> wrote: > On Thu, Jan 18, 2024 at 1:03 AM anoop yadav <anoop...@gmail.com> wrote: > >> I am trying to build a Web app where users can create multiple Ubuntu >> instances and use them through my web app. The domain for my web app is >> example-app.com which is written in reactjs. I have hosted guacamole >> clients on separate subdomains lab.example-app.com. >> >> In the reactjs app, I am using the Iframe (Not sure if there is any other >> way) to show lab.example-app.com (guacamole client app), since I don't >> want the user to do another login on the guacamole app. I am planning to >> use a token. My current logic is as follows: >> >> 1. When the user creates an account (the backend is in Django-python) I >> make a rest API request to create an account, get a token from guacamole >> and save it to the web app database. >> 2. When the user creates an Ubuntu instance, using the rest API I create >> a connection and associate the user with it. I save a URL like >> lab.example-app.com/guacamole/#/client/<CONNECTION>?token=<TOKEN> >> >> >> Everything works fine, the user can access multiple connections but since >> the token has a lifetime, and after that time the URL is not working. >> >> > To be clear, the token does not have a lifetime, it has an *idle lifetime* > - that is, it times out after a certain period of inactivity. As long as > the Guacamole instance is being used - for an active connection, for > example - the token will remain valid. > > >> >> How do I manage the token so that it doesn't expire? >> > > You can set the api-session-timeout property in guacamole.properties to > adjust the *idle lifetime* of the token - see > https://guacamole.apache.org/doc/gug/configuring-guacamole.html#guacamole-properties > . > > That said, I don't think you really want it to never expire - at least, > from a security perspective, I would not recommend that, even if you're > doing some other cleanup of the tokens from your web application. You may > want to extend it such that it more closely fits in with your use case, but > setting it to either never expire (which isn't really possible) or even a > very long idle time just adds security risk to the application. > > -Nick >
