Expire session from init (!138572) · Merge requests · GitLab.org / GitLab

John Parent requested to merge gitlab-community/gitlab:expire-session-from-init into master Dec 01, 2023

What does this MR do and why?

This MR allows admins to configure Gitlab to compute session TTL based on date of session initialization rather than last activity or remember me status.

Adds setting to toggle "expire from creation" on sessions
If setting is enabled, prevents further activity or settings from extending the TTL of the session object in redis, instead sets TTL of new session key to be old TTL.

!395038 Other issues request similar support, this is just most in depth

How to set up and validate locally

Navigate to the Admin Area > Settings > General > Account and Limit and enable "expire session from creation"
Create a new user session
Validate correct TTL for said session
Perform an action as aforementioned user that would normally extend the session duration
Validate the session TTL has not been reset and is from the time of original session creation.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Dec 05, 2023 by John Parent

Expire session from init

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports