<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I'd like to talk about timeout for sessions again. <br>
Firstly, the default timeout of sessions is 60 minutes. It seems
too long. <br>
So I want to set the timeout of sessions explicitly. maybe 10
minutes is OK.<br>
If session got inactive for 10 minutes then it should expire
automatically.
<br>
And should ask user for relogin. This is required for the security
reason.
<br>
<br>
But this timeout will not take effect on guest tab and host tabs.<br>
<br>
For guest tab, the root cause is because the front end refresh the
vm list every 5 seconds
<br>
by sending the "GET /vms" REST API call to the server.
<br>
For host tabs. the front end will also get the host info and stats
all the time.<br>
<br>
So the session will never timeout.<br>
<br>
There are several proposal for this problem.<br>
1. UI set a timeout time. <br>
if no users operations for a certain time(such as 5 seconds), UI
stops to get vms or host info and stats.<br>
and let server close session when timeout.<br>
<br>
2. UI log out automatically.<br>
if no user operations for ertain time(such as 5 seconds), UI log out
automatically.<br>
<br>
3. distinguish the user and JS requests.<br>
Maybe there need an extra header to tell the requests from the JS
request or the USER. <br>
We should set the User-Agent of JS requests explicitly.<br>
such as: <br>
User-Agent: auto-robot/1.0<br>
<br>
I can check whether cherrypy has some user-agent filter for timeout.
<br>
even without this filter, I can set a extra data for Cherrpy
Session. <br>
and <span class="st"> can force the session to expire with <em>sessions</em>.<em>expire</em>().</span><br>
<br>
or a cookie to tell the sever this is request is send by JS robot.
the similar method to User-Agent<br>
<br>
<br>
Now the dispute is that:<br>
1. When user is at Guests Tab, he wants to keep monitoring VM
status, and he doesn't want session to be timed out.
<br>
2. the UI may collection host info and store host info. <br>
If these two case, that means the /host and /vms URL can not need
authentication.<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thanks and best regards!
Sheldon Feng(冯少合)<a class="moz-txt-link-rfc2396E" href="mailto:shaohef@linux.vnet.ibm.com"><shaohef@linux.vnet.ibm.com></a>
IBM Linux Technology Center</pre>
</body>
</html>