Use Warden hooks to enforce sign-out regardless of activity
What does this MR do and why?
Rather than using ActiveSession, we use Warden hooks to sign users out after a period specified in settings, provided the feature flag and settings are enabled.
References
- Feature issue: #395038 (closed)
- Initial MR introducing setting and ActiveSession changes: !183472 (diffs)
- Frontend MR to be developed when backend is fixed: !186443 (merged)
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
- Enable the feature flag on the Rails console:
Feature.enable :session_expire_from_init - Go to Admin Area
➡️ Settings➡️ General➡️ Account and Limit -https://gdk.test:3443/admin/application_settings/general#js-account-settings - Set a short Session duration (minutes) - 2 or 3 minutes
- Under Session Settings select Expire session from time of creation
- Save your changes
- Log out
- Restart GitLab locally -
gdk restart rails-web(changes to default session duration only apply after restart) - Log in again once the app has rebooted
- Browse the site for 3 or 4 minutes
- After the default session duration, you should be automatically logged out, and your next request will take you to the sign-in page.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #395038 (closed)