[Kimchi-devel] [RFC] timeout for sessions

Aline Manera alinefm at linux.vnet.ibm.com
Tue Feb 25 17:50:52 UTC 2014 

On 02/25/2014 10:18 AM, Sheldon wrote:
> I'd like to talk about timeout for sessions again.
> Firstly, the default timeout of sessions is 60 minutes.  It seems too 
> long.
> So I want to set the timeout of sessions explicitly.  maybe 10 minutes 
> is OK.
> If session got inactive for 10 minutes then it should expire 
> automatically.
> And should ask user for relogin. This is required for the security 
> reason.
>
> But this timeout will not take effect on guest tab and host tabs.
>
> For guest tab, the root cause is because the front end refresh the vm 
> list every 5 seconds
> by sending the "GET /vms" REST API call to the server.
> For host tabs. the front end will also get the host info and stats all 
> the time.
>
> So the session will never timeout.
>
> There are several proposal for this problem.
> 1. UI set a timeout time.
> if no users operations for a certain time(such as 5 seconds), UI stops 
> to get vms or host info and stats.
> and let  server close session when timeout.
>
> 2. UI log out automatically.
> if no user operations for ertain time(such as 5 seconds), UI log out 
> automatically.
>


> 3. distinguish the user and JS requests.
> Maybe there need an extra header to tell the requests from the JS 
> request or the USER.
> We should set the User-Agent of JS requests explicitly.
> such as:
> User-Agent: auto-robot/1.0
>
> I can check whether cherrypy has some user-agent filter for timeout.
> even without this filter, I can set a extra data for Cherrpy Session.
> and can force the session to expire with /sessions/./expire/().

 From my perspective, the solution #3 is the best one and we should 
focus on it

>
> or a cookie to tell the sever this is request is send by JS robot. the 
> similar method to User-Agent
>
>
> Now the dispute is that:
> 1. When user is at Guests Tab, he wants to keep monitoring VM status, 
> and he doesn't want session to be timed out.
> 2. the UI may collection host info and store host info.
> If these two case, that means the /host and /vms URL can not need 
> authentication.
>
>
> -- 
> Thanks and best regards!
>
> Sheldon Feng(???)<shaohef at linux.vnet.ibm.com>
> IBM Linux Technology Center
>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/kimchi-devel/attachments/20140225/99583e09/attachment.html>

More information about the Kimchi-devel mailing list