<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/25/2014 10:18 AM, Sheldon wrote:<br>
</div>
<blockquote cite="mid:530C9813.2090206@linux.vnet.ibm.com"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
I'd like to talk about timeout for sessions again. <br>
Firstly, the default timeout of sessions is 60 minutes. It seems
too long. <br>
So I want to set the timeout of sessions explicitly. maybe 10
minutes is OK.<br>
If session got inactive for 10 minutes then it should expire
automatically. <br>
And should ask user for relogin. This is required for the security
reason. <br>
<br>
But this timeout will not take effect on guest tab and host tabs.<br>
<br>
For guest tab, the root cause is because the front end refresh the
vm list every 5 seconds <br>
by sending the "GET /vms" REST API call to the server. <br>
For host tabs. the front end will also get the host info and stats
all the time.<br>
<br>
So the session will never timeout.<br>
<br>
There are several proposal for this problem.<br>
1. UI set a timeout time. <br>
if no users operations for a certain time(such as 5 seconds), UI
stops to get vms or host info and stats.<br>
and let server close session when timeout.<br>
<br>
2. UI log out automatically.<br>
if no user operations for ertain time(such as 5 seconds), UI log
out automatically.<br>
<br>
</blockquote>
<br>
<br>
<blockquote cite="mid:530C9813.2090206@linux.vnet.ibm.com"
type="cite"> 3. distinguish the user and JS requests.<br>
Maybe there need an extra header to tell the requests from the JS
request or the USER. <br>
We should set the User-Agent of JS requests explicitly.<br>
such as: <br>
User-Agent: auto-robot/1.0<br>
<br>
I can check whether cherrypy has some user-agent filter for
timeout. <br>
even without this filter, I can set a extra data for Cherrpy
Session. <br>
and <span class="st"> can force the session to expire with <em>sessions</em>.<em>expire</em>().</span><br>
</blockquote>
<br>
From my perspective, the solution #3 is the best one and we should
focus on it<br>
<br>
<blockquote cite="mid:530C9813.2090206@linux.vnet.ibm.com"
type="cite"> <br>
or a cookie to tell the sever this is request is send by JS robot.
the similar method to User-Agent<br>
<br>
<br>
Now the dispute is that:<br>
1. When user is at Guests Tab, he wants to keep monitoring VM
status, and he doesn't want session to be timed out. <br>
2. the UI may collection host info and store host info. <br>
If these two case, that means the /host and /vms URL can not need
authentication.<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thanks and best regards!
Sheldon Feng(冯少合)<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:shaohef@linux.vnet.ibm.com"><shaohef@linux.vnet.ibm.com></a>
IBM Linux Technology Center</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Kimchi-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Kimchi-devel@ovirt.org">Kimchi-devel@ovirt.org</a>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/kimchi-devel">http://lists.ovirt.org/mailman/listinfo/kimchi-devel</a>
</pre>
</blockquote>
<br>
</body>
</html>