[jira] [Commented] (QPID-7034) Inactive web management console session not automatically timed-out

Thu, 31 Aug 2017 03:45:21 -0700 

    [ 
https://issues.apache.org/jira/browse/QPID-7034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16148815#comment-16148815
 ] 

Alex Rudyy commented on QPID-7034:
----------------------------------

Keith, 
The changes implemented in commit [ 
https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=52b9f91 ] look 
reasonable to me.

Regarding invalidating of AMQP management sessions, I suppose we can implement 
it as you have suggested using profile concept, but I am not convinced that it 
is absolutely necessary, as neither core AMQP spec no management AMQP spec 
require this. Whilst for web it is required to avoid http session hijacking, 
the amqp connection/session hijacking seems impossible to me. Though, 
theoretically, with some kind of token based authentication/authorization, the 
attacker might hijack authentication/authorization token(s) and use them for 
establishing of new amqp connection to the broker, but in this case the broker 
should derive connection/session expiration from the token itself. I am not 
convinced that expiration settings should be driven from profiles.

> Inactive web management console session not automatically timed-out
> -------------------------------------------------------------------
>
>                 Key: QPID-7034
>                 URL: https://issues.apache.org/jira/browse/QPID-7034
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Keith Wall
>            Assignee: Keith Wall
>             Fix For: qpid-java-broker-7.0.0
>
>
> If as an operator, I have an session open on the web management console, the 
> session should expire and I should be forced to reauthenticate if I don't use 
> the application for a period of time.
> This currently doesn't happen.  Web Management correctly establishes a HTTP 
> session timeout, but the session is kept alive by the regular polls the 
> client side makes to the server.  This is sufficient to keep the session 
> alive and means the user is never automatically logged out.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to