We are using the F5 APM to control access to our webapp, but are having some issues regarding expiration rules.
The scenario we want is that the cookie expires 12 hours after creation, or upon browser close, whichever comes first.
Despite our efforts, it would seem that we only have 1 of two options
set the cookies "Expires" property to 12 hours (or max-age)
don't set the "Expires" property at all
The first option successfully allows for the cookie to expire after 12 hours, but if the browser closes, the cookie is persisted until that time, so only one of the 2 conditions is met.
The second option will expire the cookie on browser close, but will not expire if the browser is open for 12 hours or more.
Is there a setting with the F5 APM that will expire the session on the F5 side, while the cookie can remain a session cookie on the browser side?
The best way to accomplish what you are trying to do with APM is to use a session cookie for the APM MRH cookie, and then set the Maximum Session Timeout setting to 12 hours (the value is set in seconds) on the Access profile under Properties in the Settings section (on version 11.x, may be in a slightly different place on v10.x). This will do exactly what you are trying to do.
Related
This may sound like a very trivial doubt, but I need some help here.
I have set up Application load balancer with OIDC authentication. After logging into my application, using chrome developer tool I looked into the client application cookie. Found that AWSELBAuthSessionCookie-0 and AWSELBAuthSessionCookie-1 have an expiry 2070-10-04T05:02:12.122Z which is almost 50 years from now. Since the ALB isn't forwarding this cookie to my application (EC2) which resides behind the ALB, I am unable to reset the cookie's expiration. I am using Flask to read the headers. Any leads to reduce the AWSELBAuthSessionCookie's expiry will be helpful.
quite an old question already but here are my 2 cents:
invalidating a cookie is somehow just a set-cookie with an expired date, so I don't think you need to be able to read the cookie from the request to invalidate it. I have not tried but I would just do something like
Set-Cookie "AWSELBAuthSessionCookie-0=deleted;path=/;expires=Thu, 01 Jan 1970 00:00:00 GMT;"
for the 2nd point (from #codematix), to logout you need to invalidate the auth cookie AND to redirect the user the logout page configured in your IDP (probably to also invalidate the tokens, otherwise the ALB would just revalidate the tokens and re-create a session). See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#authentication-logout-timeout
I think you are confusing the ALB session (JSESSIONID cookie if I recall correctly) with the auth session cookie here.
Once again I am no time to validate this but hope that helps :)
I too have the same question, in my case it is being set to Expires=Sat, 29 Aug 2071 22:16:30 GMT. And I am unsure, even when I have set the Session timeout to 14400 seconds which is about 4 hours in the ALB authenticate rule.
It is quite unexplainable as to why this large expiry time would be set despite an explicit smaller value.
I tried to increase the cookie expiry time and activated sliding expiry.
But the cookie expiry is still "N/A"
what problems will it cause, why expiry is not shown. In this case what will happen to cookie. when will it expire.
It means the cookie will expire at the end of the session (when the browser closes, but not always).
When user privacy is a concern, It is important that any web app
implementation will invalidate cookie data after a certain timeout and
won't rely on the browser clearing session cookies.
One of the most beloved features of Firefox prevents session cookies from ever
expiring. The same issue is also occuring with google chrome (and
probably with other browsers offering similar features)
We use cookie to remember user's login status. The cookie's expire time in my code is all right, but when redirected to another page, the cookie is missing. Then I modify the code, add 100 years to the cookie's expire time. Finally, the browser shows the expire time is 2115-07-23.
Here is the code picture and local time:
A few minutes later,the system broken down. When I open the program again, it is all right! It's unbelievable!
Is it possible to have a session cookie that expires? Ie. I want the cookie to last maximum 30 minutes, but also get deleted if the user closes his browser. Workarounds are also welcome.
Tried the max-age setting, but that made it not delete when the browser ends.
As far as I know, you can't do both in one cookie. It's one or the other, so either:
set the max-age to 30 minutes to create a persistent cookie; or
don't set the max-age to create a session cookie.
What you could do, however, is create both a session cookie and a 30 minute persistent cookie with different names, and then base your session handling on the presence of both cookies.
The Django documentation states:
You can control whether the session framework uses browser-length
sessions vs. persistent sessions with the
SESSION_EXPIRE_AT_BROWSER_CLOSE setting.
If SESSION_EXPIRE_AT_BROWSER_CLOSE is set to True, Django will use
browser-length cookies -- cookies that expire as soon as the user
closes his or her browser. Use this if you want people to have to log
in every time they open a browser.
This setting is a global default and can be overwritten at a
per-session level by explicitly calling the set_expiry() method of
request.session as described above in using sessions in views.
So when I set SESSION_EXPIRE_AT_BROWSER_CLOSE to True in my settings file, this indeed is what it does. This is good because I want a user's session to expire upon browser close. However, I also want a user's session to expire after, say, 15 minutes of inactivity. If I use set_expiry() mentioned above, the SESSION_EXPIRE_AT_BROWSER_CLOSE is overridden so if a user closes the browser and then re-opens the browser before the expiration, the session is still valid. Not what I want.
In addition, the documentation for set_expiry() says the sessions expires after the set amount of time of inactivity. That's actually not true. It expires no matter what, whether my user is clicking around on the site or not.
So to summarize, what I want to do is:
Have my sessions configured that if the user closes the browser, the session automatically expires.
Set a session expiration length that is updated with activity, i.e. if a user does something else on the site, the expiration is reset.
Thoughts/suggestions?
As Jiaaro suggested in this answer you can use SESSION_EXPIRE_AT_BROWSER_CLOSE and set a timestamp on session at each request and add a custom Middleware to handle the inactivity.
From docs https://docs.djangoproject.com/en/1.8/topics/http/sessions/#browser-length-sessions-vs-persistent-sessions
Some browsers (Chrome, for example) provide settings that allow users to continue browsing sessions after closing and re-opening the browser. In some cases, this can interfere with the SESSION_EXPIRE_AT_BROWSER_CLOSE setting and prevent sessions from expiring on browser close. Please be aware of this while testing Django applications which have the SESSION_EXPIRE_AT_BROWSER_CLOSE setting enabled.
Sessions expire when the user closes the browser:
This requirement implemented by setting SESSION_EXPIRE_AT_BROWSER_CLOSE to True.
Reference
Sessions expire after a period of inactivity:
SESSION_COOKIE_AGE is the age of session cookies, in seconds.
Default: 1209600 (2 weeks, in seconds)
Reference
You should set these option on your setting/__init__.py
Search engine cache make sure then the session will be closed when TOGETHER with SESSION_EXPIRE_AT_BROWSER_CLOSE = TRUE
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
By default, SESSION_EXPIRE_AT_BROWSER_CLOSE is set to False, which means session cookies will be stored in users’ browsers for as long as SESSION_COOKIE_AGE. Use this if you don’t want people to have to log in every time they open a browser.
If SESSION_EXPIRE_AT_BROWSER_CLOSE is set to True, Django will use browser-length cookies – cookies that expire as soon as the user closes their browser. Use this if you want people to have to log in every time they open a browser.