I have users logging in via LDAP, which then sync’s their group settings. I have set this for every login, however I am now finding that if a user’s browser stays open, I am unclear on when they will ever be forced to log back in. Since I can’t run a LDAP group sync on a schedule (unless someone has that working) I need to be able to limit sessions for my permissions to remain somewhat valid.
I have found that there is a setting for
xwiki.authentication.cookielife
This says it defaults to 14 days. I have looked at my cookies after logging in, and they indicate “Session” for the lifetime. I expected to see 14 days in some form, but I at least noted what was shown before I change any settings. I then set the cookielife to
xwiki.authentication.cookielife=.001
After restarting tomcat, and logging out and back in, The lifetime is still “session”. I have confirmed the configuration settings are taking place by testing turning off encryption, and it does in fact show my username/password in the clear in the cookie.
It would appear the underlying cookie lifetime is defined in seconds (the code multiplies 606024 from what I could tell) so I was expecting this to be something around 86 seconds for testing. However It doesn’t seem to have any affect. If I wait 5 minutes, then click a link, or open a new tab and go to the wiki, I am still logged in.
With out the ability to change this, my group permissions from LDAP are very unreliable. If I remove someone from a group, but they never press the log out button, they never sync and therefore never lose the permission.
Can someone help me with this? So far I can only think of two ways to solve my core issue
- Periodic Group updates from LDAP with out user login (I don’t see this possible right now)
- Force sessions to expire after X hours. (seems to also not be working)