Lower session expiry when user is unauthenticated (!88514) · Merge requests · GitLab.org / GitLab

Heinrich Lee Yu requested to merge lower-session-ttl-for-oauth-controller into master May 25, 2022

What does this MR do and why?

When a user is redirected to sign in, the limit_session_time helper is not called in certain cases.

This MR fixes them so that the lower expiry is set properly.

How to set up and validate locally

Run gdk redis-cli monitor | grep "session:gitlab" to monitor Redis commands
Run curl http://127.0.0.1:3000/dashboard/todos / curl http://127.0.0.1:3000/oauth/authorize\?client_id\=123 to make a request that gets redirected to sign-in
Notice that the expiry is now set to 7200 instead of 604800

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited May 25, 2022 by Heinrich Lee Yu

Lower session expiry when user is unauthenticated

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports