Reviewed: https://review.openstack.org/33802 Committed: http://github.com/openstack/horizon/commit/dc7668177a2ef638d9a86e7f6c7f62b075b9592c Submitter: Jenkins Branch: master commit dc7668177a2ef638d9a86e7f6c7f62b075b9592c Author: Matthias Runge <mrunge at redhat.com> Date: Thu Jun 20 12:52:37 2013 +0200 Implement Browser session timeout By default, Horizon just uses session, which expire, when the browser is closed. This implements additionally a session timeout. Change-Id: I140ee2ee37e092036a66d890d920423dfc493fba Fixes: bug 1118441 ** Changed in: horizon Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1118441 Title: Horizon does not implement a browser session timeout Status in OpenStack Dashboard (Horizon): Fix Committed Bug description: Horizon does not terminate user sessions (from a browser) after a reasonable period of inactivity. The only timeout is that of keystone's token which is often set to very long periods. The only session timeout implemented by Horizon is Django's SESSION_EXPIRE_AT_BROWSER_CLOSE which closes the session when the browser closes. Due to the nature of what can be done in Horizon (both now and in the future) this could pose significant risk since it enables bystanders to make use of unlocked workstations in order to access sensitive data and do otherwise unauthorised activities on behalf of what some may call a 'careless' end-user. Implementing a reasonable inactive session timeout for Horizon would mitigate this risk. An option to solve this problem could be to include this code: https://github.com/subhranath/django-session-idle-timeout There is some discussion regarding possible solutions here: http://stackoverflow.com/questions/3024153/how-to-expire-session-due- to-inactivity-in-django To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1118441/+subscriptions