Page MenuHomePhabricator

Increase horizon session length
Closed, ResolvedPublic

Description

Keystone sessions can last up to 7.1 days. Horizon sessions are currently set to a length of two hours. Longer might be good, but that is currently blocked by an upstream bug. Also we should probably discuss how long is so long that it's unsafe.

Event Timeline

Andrew created this task.Mar 22 2016, 3:18 PM

From the IRC discussion we had, Horizon sets a cookie session-id that expires after roughly 2 hours and 15 minutes or roughly 8000 seconds.

Horizon uses Django configured via modules/openstack/templates/liberty/horizon/local_settings.py.erb and we have SESSION_TIMEOUT = 604800 (7 days) which is apparently to allow for a shorter keystone token TTL.

For holding sessions we have:

CACHES = {
   'default': {
       'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache',
       'LOCATION' : '127.0.0.1:11000',
   }
}

Plenty of places hint at SESSION_COOKIE_AGE which is unset for us (so default to whatever value).

Change 279186 had a related patch set uploaded (by Andrew Bogott):
Horizon: Update session config

https://gerrit.wikimedia.org/r/279186

hashar moved this task from Triage to In Progress on the Cloud-Services board.

Change 279186 merged by Andrew Bogott:
Horizon: Update session config

https://gerrit.wikimedia.org/r/279186

If I use SESSION_TIMEOUT values less than two hours, the setting has the desired effect. So someone is capping the value or there's an overflow or something. Currently cloning the django source to see what's going on :(

Change 279975 had a related patch set uploaded (by Andrew Bogott):
Explicitly set Horizon session lengths to two hours.

https://gerrit.wikimedia.org/r/279975

Andrew updated the task description. (Show Details)Mar 28 2016, 5:49 PM

Change 279975 merged by Andrew Bogott:
Explicitly set Horizon session lengths to two hours.

https://gerrit.wikimedia.org/r/279975

Nice catch :-D

Andrew changed the task status from Open to Stalled.Mar 29 2016, 6:04 PM

Stalled pending upstream fix. If people complain about this I can make a local hack in the meantime.

Andrew removed Andrew as the assignee of this task.Mar 29 2016, 6:04 PM

Change 281531 had a related patch set uploaded (by Andrew Bogott):
Increase Horizon timeout to 24 hours.

https://gerrit.wikimedia.org/r/281531

Change 281531 merged by Andrew Bogott:
Increase Horizon timeout to 24 hours.

https://gerrit.wikimedia.org/r/281531

Danny_B removed a subscriber: Danny_B.Jun 3 2016, 2:12 AM
scfc added a subscriber: scfc.Dec 2 2016, 3:52 PM

Is this still an issue? I logged into Horizon yesterday 10:00Z, and when I revisited Horizon just now I'm still logged in, more than 24 hours later.

Andrew closed this task as Resolved.Dec 3 2016, 3:03 AM
Andrew claimed this task.

I've fixed the upstream bug in future versions, hacked a fix locally, and also added the 'remember me' checkbox.