[jira] [Updated] (AIRFLOW-4413) Expose making flask sessions permanent via webserver_config or airflow.cfg

Thu, 25 Apr 2019 12:00:44 -0700 


     [ 
https://issues.apache.org/jira/browse/AIRFLOW-4413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Joshua Kornblum updated AIRFLOW-4413:
-------------------------------------
    Summary: Expose making flask sessions permanent via webserver_config or 
airflow.cfg  (was: Expose making flask sessions permanent via webserver_config)

> Expose making flask sessions permanent via webserver_config or airflow.cfg
> --------------------------------------------------------------------------
>
>                 Key: AIRFLOW-4413
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-4413
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: webserver
>    Affects Versions: 1.10.3
>            Reporter: Joshua Kornblum
>            Priority: Minor
>             Fix For: 1.10.4
>
>
> (These comments reflect my bets understanding of Airflow/Flask/FAB, if 
> something is incorrect please let me know)
> *Proposal*
> Create setting in either airflow.cfg or webserver_config.py that is boolean 
> for making Flask session permanent. Set session permanent in Flask 
> `before_request` as found online/stackoverflow. Setting session permanent on 
> login/signup is difficult given the different login options from FAB + 
> ability to plugin own auth into FAB.
>  
> The change would look something like this ...
> In `airflow.www.app`
> ```
> from flask import session as g_sesion
> ... 
> app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver', 
> 'COOKIE_SECURE')
> app.config['SESSION_COOKIE_SAMESITE'] = conf.get('webserver', 
> 'COOKIE_SAMESITE')
> if conf.getboolean('webserver','PERMANENT_SESSION'):
>   @app.before_request
>   def modify_request():
>     logging.info("making session perm...")
>     if session:
>       session.permanent = True
>    else:
>       g_sesion.permanent = True
> if config:
> app.config.from_mapping(config)
> ...
>  
> ```
>  
> *Background*
> With Flask default configuration the Flask session is non-permanent 
> (destroyed when closing browser), the session lifetime is set to 31 days, and 
> the session lifetime cannot be refreshed from activity (requires permanent 
> session). 
> At my employer we have corporate standard that application logins must expire 
> after 12 hours of inactivity. I can set Flask config 
> `PERMANENT_SESSION_LIFETIME` and Flask will respect that but without setting 
> `session.permanent = True` the session cannot be refreshed from activity so 
> the session lifetime I set starts ticking from session start regardless of 
> activity. I feel like adding this security feature to config could be useful 
> for many individuals managing Airflow deployments.
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to