User Sessions and cookielife

I have users logging in via LDAP, which then sync’s their group settings. I have set this for every login, however I am now finding that if a user’s browser stays open, I am unclear on when they will ever be forced to log back in. Since I can’t run a LDAP group sync on a schedule (unless someone has that working) I need to be able to limit sessions for my permissions to remain somewhat valid.

I have found that there is a setting for
xwiki.authentication.cookielife

This says it defaults to 14 days. I have looked at my cookies after logging in, and they indicate “Session” for the lifetime. I expected to see 14 days in some form, but I at least noted what was shown before I change any settings. I then set the cookielife to
xwiki.authentication.cookielife=.001

After restarting tomcat, and logging out and back in, The lifetime is still “session”. I have confirmed the configuration settings are taking place by testing turning off encryption, and it does in fact show my username/password in the clear in the cookie.

It would appear the underlying cookie lifetime is defined in seconds (the code multiplies 606024 from what I could tell) so I was expecting this to be something around 86 seconds for testing. However It doesn’t seem to have any affect. If I wait 5 minutes, then click a link, or open a new tab and go to the wiki, I am still logged in.

With out the ability to change this, my group permissions from LDAP are very unreliable. If I remove someone from a group, but they never press the log out button, they never sync and therefore never lose the permission.

Can someone help me with this? So far I can only think of two ways to solve my core issue

  1. Periodic Group updates from LDAP with out user login (I don’t see this possible right now)
  2. Force sessions to expire after X hours. (seems to also not be working)
1 Like

I believe I have found that this session cookie’s lifetime is in fact set IF the user selects “remember me.” I guess I don’t fully understand why the cookie is used with out the check box, if using it sets the cookie and allows me to adjust the length.

Are there some quick patches someone could show me to either force the “remember me”, or perhaps better to apply the cookie lifetime in BOTH the case where the user check’s it or doesn’t check it?

For anyone with a similar question, I have had to do the following things to get something workable for my situation. If I am miss-understanding any of these pieces, or there is a better way please feel free to let me know.

First, it seems that the cookie set when a user logs in WITH OUT the “remember me” check box displays as “session” lifetime in my debug console of Chrome. However, even when I time out the session (I see the standard cookie change ID’s) this one remains. So I can not find a way to work with this cookie to set limits to when it is invalidated. However, if the use does check the “remember me” box, the existing settings for cookielifetime are enforced.

Therefore, I had to create an over ride template for the login page, which both sets the check box to default be checked, and hides it and the text from being displayed. In this way, all my users are using this setting, and I can set the cookie life time as needed.

Secondly, there is a session time in Tomcat. I have found that if the cookie expires, it seems my user still shows as logged in and full permissions as long as this session remains. Therefore a user can remain active for some unknown (to me) amount of time even after my cookie expiration. This session can be adjusted in the tomcat web.cfg, however I believe it is an inactive amount of time. So if someine is very actively using it will still keep them logged in. I have edited this file to set mine to a relatively short 10 minutes. So if a user is active after my cookie expires they will be logged in until they stop for a short amount of time.

These two things combined, provide me with the ability to at least approximate a required daily login by users. I can set my cookie lifetime to 8 hours, while my session limit is 10 minutes. During the 8 hours that the cookie is valid, the user doesn’t need to re-login even if inactive and losing the session. However after the 8 hours, they will lose the coookie, and be logged out more aggressively. Users should basically be forced to login at least every morning, which will help enforce any LDAP group changes that have taken place.

All this could be avoided, if I could somehow sync the ldap groups and users separately. This would allow sessions to remain open, while still keeping the permissions current.

1 Like