(no subject)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

(no subject)

DMoscovitch
Hi,

I was wondering what the default timeout is for sessions in Guacamole is ?

By that I mean,
If I close my TAB in my browser (ie chrome) that has my Guacamole website but i have not logged out properly, and then reopen a tab and go back to the website I noticed that it connects me directly to the main web interface as logged in.
If I close the full browser it does seem to prompt for a re-login though.

I wouldn't mind being able to force a relogin if the tab is closed just incase anyone ever does this on a shared pc somewhere.

I am currently running 0.9.9 behind Nginx on https pointing at TOMCAT7





danielm


Reply | Threaded
Open this post in threaded view
|

Re:

Mike Jumper
On Mon, Feb 27, 2017 at 2:30 PM, <[hidden email]> wrote:
Hi,

I was wondering what the default timeout is for sessions in Guacamole is ?

By that I mean,
If I close my TAB in my browser (ie chrome) that has my Guacamole website but i have not logged out properly, and then reopen a tab and go back to the website I noticed that it connects me directly to the main web interface as logged in.
If I close the full browser it does seem to prompt for a re-login though.

I wouldn't mind being able to force a relogin if the tab is closed just incase anyone ever does this on a shared pc somewhere.

I am currently running 0.9.9 behind Nginx on https pointing at TOMCAT7


You will remain logged into Guacamole until:

(A) You explicitly log out of Guacamole by clicking "Logout" within the menu
or (B) Your session expires due to inactivity (no connections open, not otherwise actively using Guacamole)

By default, session expiration occurs after one hour of inactivity. This can be changed using the "api-session-timeout" property:


- Mike

Reply | Threaded
Open this post in threaded view
|

re: session timeout

DMoscovitch
Thanks Mike,

Is there any reason why I would want to keep it at 60, or really anything more than lets say a few minutes? If I understand, as long as I have the HOME page open, or an active connection all should be good and stay in session. I assume this does not care if someone does not move a mouse/keyboard for this calculation of inactivity?
I'm thinking of placing this to 5 minutes, or less really. Is this a bad idea?

Also, when changed in the settings file, does this take affect or does a restart become required?

danielm





From:        Mike Jumper <[hidden email]>
To:        [hidden email]
Date:        02/27/17 06:33 PM
Subject:        Re:




On Mon, Feb 27, 2017 at 2:30 PM, <DMoscovitch@...> wrote:
Hi,

I was wondering what the default timeout is for sessions in Guacamole is ?

By that I mean,

If I close my TAB in my browser (ie chrome) that has my Guacamole website but i have not logged out properly, and then reopen a tab and go back to the website I noticed that it connects me directly to the main web interface as logged in.

If I close the full browser it does seem to prompt for a re-login though.


I wouldn't mind being able to force a relogin if the tab is closed just incase anyone ever does this on a shared pc somewhere.


I am currently running 0.9.9 behind Nginx on https pointing at TOMCAT7



You will remain logged into Guacamole until:

(A) You explicitly log out of Guacamole by clicking "Logout" within the menu
or (B) Your session expires due to inactivity (no connections open, not otherwise actively using Guacamole)

By default, session expiration occurs after one hour of inactivity. This can be changed using the "api-session-timeout" property:

http://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html#initial-setup

- Mike

Reply | Threaded
Open this post in threaded view
|

Re: session timeout

Mike Jumper
On Fri, Mar 3, 2017 at 2:23 PM, <[hidden email]> wrote:
Thanks Mike,

Is there any reason why I would want to keep it at 60, or really anything more than lets say a few minutes? If I understand, as long as I have the HOME page open, or an active connection all should be good and stay in session.

Not exactly - having the home page open has no effect. To be considered active, you must either have a connection open or be generally navigating around the Guacamole interface (moving from page to page, performing admin tasks, etc.). If you just sit on the home page for an hour, your session will expire.

I assume this does not care if someone does not move a mouse/keyboard for this calculation of inactivity?

Correct.

I'm thinking of placing this to 5 minutes, or less really. Is this a bad idea?

It's completely up to you. There's no harm in changing the setting in general. I'd be wary of increasing the limit, as longer sessions increase the chance of an unauthorized user happening across someone's old session when using the same computer, but my only concern for decreasing the limit is user experience. The only way to know if this is a problem for you in practice is to try it.


Also, when changed in the settings file, does this take affect or does a restart become required?

Modifications to guacamole.properties require a Tomcat restart. You don't need to reboot the entire server, nor do you need to restart guacd. If you're using the Docker images, you'll need to restart the guacamole Docker container.

- Mike