If you set Cookie Timeout in CF Admin to -1 minutes, then CFID and CFTOKEN become session cookies, which expire when you quit the browser. However, that means they DON'T expire UNTIL you quit the browser, not ideal.
Is there any way to have them expire in 20 mins (say), OR when you quit the browser?
Pretty sure this question has already been asked & answered: "Can a cookie expire when EITHER some time passes OR browser is closed?" ?
What you are asking is for a cookie to have no expiry (so it deletes when the browser closes) but also does have an expiry (after n minutes). It can't do both at once obviously.
I'd set the cookie to have no expiry so it deletes when the browser closes, and - as #AndreasRu suggests - maintain the session duration/idle-timeout on the CFML server.
Related
I have an issue to configuring Redhat Single SigOn (RHSSO) or Keycloak token expiration in seconds, about 30 seconds.
I just found the configuration in minutes. There is a way to adjust it to seconds?
From the Keycloak Admin Console it is not possible; Keycloak allows to specify the access token expiration time in Minutes, Hours or Days, but not in seconds:
Albeit, when one requests a token, the expiration time is display in seconds, namely:
{"access_token":"...","expires_in":60,"...}
The least amount of time that you can set via Admin Console is 1 minute. To be honest, I fail to see what would be the great benefit of having 30 seconds instead of 1 minute.
In the Admin Console, if one tries to specify 0.1 (or 0,1) minutes an error is displayed
Now that being said, it seems that you can use the Rest Full API to get around that restriction. First, request a token on behalf of the admin, extract its access token (let us called $ACCESS_TOKEN). And then call the following endpoint:
PUT <KEYCLOAK_HOST>/auth/admin/realms/<REALM_NAME>
with the following data
'{"accessTokenLifespan":30}'
Now if you request a token for a client on the Realm REALM_NAME you will get the following:
{"access_token":"...","expires_in":30,"...}
30 seconds as expiration time for the access token.
Now, I have not tested this, so it is up to you to find out if everything still works as it should.
I've got a issue where some users that go idle on my site for a period of time receive a CSRF error when submitting post requests. I don't want to disable the security feature in Rails because of its importance, so I was thinking to display a page timeout alert instead. However I cannot find anywhere what the Rails default timeout is for the authenticity_token. Can someone please point me in the right direction?
Thanks in advance.
UPDATE
When I look at cookies for my site Chrome shows that the session cookie expires when the browsing session ends. If that's the case and the reason that I get the CSRF error is due to an expired session, how does it expire if the browser is never closed?
The default behavior is for the CSRF protection to use cookie-based sessions, and for the cookies to expire when the session expires. It sounds like the session is expiring, causing the CSRF error.
I have session timeout setting as 1 hours, and my initial access_token seems timeout around this time. This is excepted.
And after it timeout, i did token refresh and get a new access_token, then i observed this refreshed access_token seems not timeout in 1 hours, even 5~6 hours after, it still not expired.
So is there refresed access_token never expire? Can someone explain more about this?
Refresh token policy is managed from admin side usually and is different from the initial access token. From what you say the setting you have right now for Refresh token is probably 'Refresh token is valid until revoked'.
When you go to your Salesforce org go to Setup -> Manage Connected Apps - find the connection you are looking for and see what policy you have set. You can set it to expire in number of days, based on usage or Immediately.
I have an ASP.Net MVC site secured with SSL and am using System.IdentityModel.Services and am creating the token like this:
SessionSecurityToken token = new SessionSecurityToken(myClaimsPrincipal, TimeSpan.FromDays(1));
SessionAuthenticationModule sam = FederatedAuthentication.SessionAuthenticationModule;
sam.WriteSessionTokenToCookie(token);
When I access the site in the browser, Firebug does not display the expiry date as expected. Instead the expiry date is shown as Session:
Can anyone explain why this is please? I assume that ASP.Net can still see the actual expiry date internally when it reads the cookie? More so, where is the cookie expiration time actually set?
You're mixing two different things here:
Token Expiration is determining until when the token is valid. After that time, even if the token is attached to a request, it is considered invalid and will not be honored. Usually the expiration time is encrypted within the token itself and that means that it's controlled solely by the token issuer.
Cookie Expiration is something that is controlled by the client (your Web-Browser in this case). Once the Cookie is expired it is no longer being attached to the request. But, should the Browser decide to send it, it will work until the Token expiration has reached.
In your particular case, the Token expiration is set to 1 day, but since the Cookie expiration is set to 'Session' it means that if you were to end the session (typically by closing your Browser window) at some point before the Token expires, the Cookie will not be sent and you'll be required to login again.
After 1 day (when the Token expires), even if you're still in session, you're always required to login again.
Update (as per your comments):
Ticket expiration and Cookie expiration can be set separately simply because sometimes the ticket is not necessarily contained in a Cookie. It may be sent to the server using other methods (QueryString, custom HTTP header etc). Yet, indeed the natural thing to do is have them both set to the same expiration time.
This is also the case in your SessionSecurityToken, if you'll set its IsPersistent flag to true you'll notice that Cookie expiration is now the same as the Ticket:
SessionSecurityToken token = new SessionSecurityToken(myClaimsPrincipal, TimeSpan.FromDays(1));
token.IsPersistent = true;
I am building a asp.net mvc application.
I want session to never expire, once the user login, unless the user clicks on logout.
Whats the best way of doing it?
I have used
FormsAuthentication.SetAuthCookie(userName, createPersistentCookie);
and set createPersistentCookie to true, but still I get logged out after sometime.
Implement sliding expiration. Leave the expiration time to some reasonable value - day, two, week max; renew the cookie on each request (simplest) or at certain intervals.
FormsAuthentication cookies use the timeout value to determine expiration. The createPersistentCookie flag just tells the API to set an expires value, rather than allowing the cookie to expire when the browser is closed. To prevent expiration, increase the forms authentication timeout value in the web.config. That value is in minutes, so to force the cookie to last one year, use 525600.