I'd like to talk about timeout for sessions again.
Firstly, the default timeout of sessions is 60 minutes.  It seems too long.
So I want to set the timeout of sessions explicitly.  maybe 10 minutes is OK.
If session got inactive for 10 minutes then it should expire automatically.
And should ask user for relogin. This is required for the security reason.

But this timeout will not take effect on guest tab and host tabs.

For guest tab, the root cause is because the front end refresh the vm list every 5 seconds
by sending the "GET /vms" REST API call to the server.
For host tabs. the front end will also get the host info and stats all the time.

So the session will never timeout.

There are several proposal for this problem.
1. UI set a timeout time.
if no users operations for a certain time(such as 5 seconds), UI stops to get vms or host info and stats.
and let  server close session when timeout.

2. UI log out automatically.
if no user operations for ertain time(such as 5 seconds), UI log out automatically.

3. distinguish the user and JS requests.
Maybe there need an extra header to tell the requests from the JS request or the USER.
We should set the User-Agent of JS requests explicitly.
such as:
User-Agent: auto-robot/1.0

I can check whether cherrypy has some user-agent filter for timeout.
even without this filter, I can set a extra data for Cherrpy Session.
and can force the session to expire with sessions.expire().

or a cookie to tell the sever this is request is send by JS robot. the similar method to User-Agent


Now the dispute is that:
1. When user is at Guests Tab, he wants to keep monitoring VM status, and he doesn't want session to be timed out.
2. the UI may collection host info and store host info.
If these two case, that means the /host and /vms URL can not need authentication.


-- 
Thanks and best regards!

Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com>
IBM Linux Technology Center