Limit the TTL for anonymous sessions to 1 hour (EE port) (!6586) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-limit-unauthenticated-session-times-ee into master Jul 18, 2018

By default, all sessions are given the same expiration time configured in the session store (e.g. 1 week). However, unauthenticated users can generate a lot of sessions, primarily for CSRF verification. It makes sense to reduce the TTL for unauthenticated to something much lower than the default (e.g. 1 hour) to limit Redis memory. In addition, Rails creates a new session after login, so the short TTL doesn't even need to be extended.

Closes gitlab-org/gitlab-ce#48101

CE port: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/20700

Edited Jul 18, 2018 by Stan Hu

Admin message

Limit the TTL for anonymous sessions to 1 hour (EE port)

Merge request reports