You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2016/08/01 07:51:20 UTC
[jira] [Commented] (QPID-7034) Inactive web management console
session not automatically timed-out
[ https://issues.apache.org/jira/browse/QPID-7034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15401672#comment-15401672 ]
Keith Wall commented on QPID-7034:
----------------------------------
We should impose an absolute limit on the length of the Web Management Console session (https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Absolute_Timeout)
> Inactive web management console session not automatically timed-out
> -------------------------------------------------------------------
>
> Key: QPID-7034
> URL: https://issues.apache.org/jira/browse/QPID-7034
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Reporter: Keith Wall
> Fix For: qpid-java-6.2
>
>
> If as an operator, I have an session open on the web management console, the session should expire and I should be forced to reauthenticate if I don't use the application for a period of time.
> This currently doesn't happen. Web Management correctly establishes a HTTP session timeout, but the session is kept alive by the regular polls the client side makes to the server. This is sufficient to keep the session alive and means the user is never automatically logged out.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org