Kibana: Idle sessions never expire

Created on 7 Feb 2020  路  3Comments  路  Source: elastic/kibana

Kibana version: 7.x / master

Describe the bug: Idle sessions don't expire. It appears that every time the /internal/security/session API is called to check the session expiration, it renews the session.

Steps to reproduce:

  1. Start Kibana with xpack.security.session.idleTimeout: "75s"
  2. Observe the calls to the /internal/security/session API, and the responses each have an increasing idleTimeoutExpiration property.
  3. Observe that the user's session never expires.

Expected behavior: The user's session should expire after the specified time period of inactivity.

Security bug triaged
Source
picture jportner

Most helpful comment

Thanks for finding and researching this! Gold medal for catching before it shipped 馃

picture legrego on 7 Feb 2020
1 👍1

All 3 comments

Pinging @elastic/kibana-security (Team:Security)

elasticmachine picture elasticmachine on 7 Feb 2020

Looks like the Kibana Platform changed how it handles exposing system requests to plugins. Tested and verified that this issue started after #53734 was merged.

Will submit a PR to fix shortly.

jportner picture jportner on 7 Feb 2020

Thanks for finding and researching this! Gold medal for catching before it shipped 馃

legrego picture legrego on 7 Feb 2020
1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

timroes picture timroes  路  3Comments
treussart picture treussart  路  3Comments
MaartenUreel picture MaartenUreel  路  3Comments
stacey-gammon picture stacey-gammon  路  3Comments
bradvido picture bradvido  路  3Comments