[ https://issues.apache.org/jira/browse/QPID-7034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16148815#comment-16148815 ]
Alex Rudyy commented on QPID-7034: ---------------------------------- Keith, The changes implemented in commit [ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=52b9f91 ] look reasonable to me. Regarding invalidating of AMQP management sessions, I suppose we can implement it as you have suggested using profile concept, but I am not convinced that it is absolutely necessary, as neither core AMQP spec no management AMQP spec require this. Whilst for web it is required to avoid http session hijacking, the amqp connection/session hijacking seems impossible to me. Though, theoretically, with some kind of token based authentication/authorization, the attacker might hijack authentication/authorization token(s) and use them for establishing of new amqp connection to the broker, but in this case the broker should derive connection/session expiration from the token itself. I am not convinced that expiration settings should be driven from profiles. > Inactive web management console session not automatically timed-out > ------------------------------------------------------------------- > > Key: QPID-7034 > URL: https://issues.apache.org/jira/browse/QPID-7034 > Project: Qpid > Issue Type: Improvement > Components: Java Broker > Reporter: Keith Wall > Assignee: Keith Wall > Fix For: qpid-java-broker-7.0.0 > > > If as an operator, I have an session open on the web management console, the > session should expire and I should be forced to reauthenticate if I don't use > the application for a period of time. > This currently doesn't happen. Web Management correctly establishes a HTTP > session timeout, but the session is kept alive by the regular polls the > client side makes to the server. This is sufficient to keep the session > alive and means the user is never automatically logged out. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org