yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1118441] Re: Horizon does not implement a browser session timeout

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 17 Jul 2013 10:46:32 -0000
Reply-to: Bug 1118441 <1118441@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: horizon
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1118441

Title:
  Horizon does not implement a browser session timeout

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  Horizon does not terminate user sessions (from a browser) after a
  reasonable period of inactivity. The only timeout is that of
  keystone's token which is often set to very long periods. The only
  session timeout implemented by Horizon is Django's
  SESSION_EXPIRE_AT_BROWSER_CLOSE which closes the session when the
  browser closes.

  Due to the nature of what can be done in Horizon (both now and in the
  future) this could pose significant risk since it enables bystanders
  to make use of unlocked workstations in order to access sensitive data
  and do otherwise unauthorised activities on behalf of what some may
  call a 'careless' end-user.

  Implementing a reasonable inactive session timeout for Horizon would
  mitigate this risk.

  An option to solve this problem could be to include this code:
  https://github.com/subhranath/django-session-idle-timeout

  There is some discussion regarding possible solutions here:
  http://stackoverflow.com/questions/3024153/how-to-expire-session-due-
  to-inactivity-in-django

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1118441/+subscriptions