4.0 web UI Session expired please try again
--Sig_/ul0yaV=0GxP5ptPcxo7FqOr Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Since I upgrade to 4.0, I get this annoying message when I try to log in again after I've been away for a while. On 3.6 the ui would go to a login screen after some period of inactivity, and I could log right back in. With 4.0, logging in after inactivity goes to a page with this message, and I have to click to get a login page and then log in again. This is very annoying. Is there a way to revert to the old behavior? Robert --=20 Senior Software Engineer @ Parsons --Sig_/ul0yaV=0GxP5ptPcxo7FqOr Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlhtN/YACgkQ7/fVLLY1mngIawCff6VRGR72fpTw3zqWTEEy+GOK 2HUAni1gZu4/iih5OA7xDZVc+VYENsHZ =GMpg -----END PGP SIGNATURE----- --Sig_/ul0yaV=0GxP5ptPcxo7FqOr--
With SSO the client sends the client secret to SSO which is stored in the session. Now when the clients session expires all the information including the client secret is lost when the session is purged by the application server. Here is the sequence 1. login to webadmin 2. Leave the session until session time out on engine and user is redirected to login page (the client id and secret are sent) 3. If user tries to login now everything will be fine but if user leaves and the session expires the session is purged, client secret is lost 4. User enters user name password on the screen after coming back. The login form does not have a session associated with it so the client and secret are not found and SSO needs to report that the session has expired and redirect user to welcome page. The client id and secret cannot be stored in login page as they are supposed to be kept secret. To revert to old behavior we need a patch that can save client and secret for the session out side the session object in a global data structure and create a unique token that can be used to associate the login page with the client secret stored in the global data structure. The token can be included in the login page. Ravi On Wed, Jan 4, 2017 at 12:59 PM, Robert Story <rstory@tislabs.com> wrote:
Since I upgrade to 4.0, I get this annoying message when I try to log in again after I've been away for a while. On 3.6 the ui would go to a login screen after some period of inactivity, and I could log right back in. With 4.0, logging in after inactivity goes to a page with this message, and I have to click to get a login page and then log in again. This is very annoying. Is there a way to revert to the old behavior?
Robert
-- Senior Software Engineer @ Parsons
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--Sig_/BUyW3uY.sqBwHre4Irh5X3B Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Wed, 4 Jan 2017 14:40:06 -0500 Ravi wrote: RN> With SSO the client sends the client secret to SSO which is stored in t= he RN> session. Now when the clients session expires all the information inclu= ding RN> the client secret is lost when the session is purged by the application RN> server. Is the session expiration time configurable? RN> 1. login to webadmin RN> 2. Leave the session until session time out on engine and user is RN> redirected to login page (the client id and secret are sent) RN> 3. If user tries to login now everything will be fine but if user leaves RN> and the session expires the session is purged, client secret is lost RN> 4. User enters user name password on the screen after coming back. The RN> login form does not have a session associated with it so the client and RN> secret are not found and SSO needs to report that the session has expir= ed RN> and redirect user to welcome page. So in step 4, can't it just start a new session instead of going to an expiration page? Or show the page for a few seconds and then start a new session?=20 Or in step 2, set a refresh on the login page that still has a session so that when the session expires it will redirect to a login screen that will start a new session? Robert --=20 Senior Software Engineer @ Parsons --Sig_/BUyW3uY.sqBwHre4Irh5X3B Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlhtWcYACgkQ7/fVLLY1mngpWACfchr6NCwQUTV94Ksb74d5VZ9G 4D0AnAsBMFAr9b18oLCqRKN+f3umu+zB =ldyn -----END PGP SIGNATURE----- --Sig_/BUyW3uY.sqBwHre4Irh5X3B--
A redirect to the login page from error page would be a more reasonable solution IMO. On Wed, Jan 4, 2017 at 3:23 PM, Robert Story <rstory@tislabs.com> wrote:
On Wed, 4 Jan 2017 14:40:06 -0500 Ravi wrote: RN> With SSO the client sends the client secret to SSO which is stored in the RN> session. Now when the clients session expires all the information including RN> the client secret is lost when the session is purged by the application RN> server.
Is the session expiration time configurable?
RN> 1. login to webadmin RN> 2. Leave the session until session time out on engine and user is RN> redirected to login page (the client id and secret are sent) RN> 3. If user tries to login now everything will be fine but if user leaves RN> and the session expires the session is purged, client secret is lost RN> 4. User enters user name password on the screen after coming back. The RN> login form does not have a session associated with it so the client and RN> secret are not found and SSO needs to report that the session has expired RN> and redirect user to welcome page.
So in step 4, can't it just start a new session instead of going to an expiration page? Or show the page for a few seconds and then start a new session?
Or in step 2, set a refresh on the login page that still has a session so that when the session expires it will redirect to a login screen that will start a new session?
Robert
-- Senior Software Engineer @ Parsons
--Sig_/qFfWvTioLHOLuLt45.Q2bf4 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Wed, 4 Jan 2017 16:17:09 -0500 Ravi wrote: RN> A redirect to the login page from error page would be a more reasonable RN> solution IMO. That would still mean that I have to type in my login credential twice, which is what I'm trying to avoid. Robert --=20 Senior Software Engineer @ Parsons --Sig_/qFfWvTioLHOLuLt45.Q2bf4 Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlhteMoACgkQ7/fVLLY1mnh0rQCeP4x5RCIYQCAMN5wAt9sVjD3A avsAn3v1+1BmHaUtiloSX7RAGi1NEGml =5dM+ -----END PGP SIGNATURE----- --Sig_/qFfWvTioLHOLuLt45.Q2bf4--
Created a BZ to track the issue https://bugzilla.redhat.com/show_bug.cgi?id=1411416 On Wed, Jan 4, 2017 at 5:35 PM, Robert Story <rstory@tislabs.com> wrote:
On Wed, 4 Jan 2017 16:17:09 -0500 Ravi wrote: RN> A redirect to the login page from error page would be a more reasonable RN> solution IMO.
That would still mean that I have to type in my login credential twice, which is what I'm trying to avoid.
Robert
-- Senior Software Engineer @ Parsons
participants (2)
-
Ravi Nori -
Robert Story