Actions
Bug #49803
closedmgr/dashboard: validate/fix behaviour of JWT cookie after expiration
Status:
Can't reproduce
Priority:
High
Assignee:
Category:
Security & Auth
Target version:
% Done:
0%
Source:
Q/A
Tags:
Backport:
pacific,octopus,nautilus
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
Description of problem¶
With the recent change to Secure cookies, it's been observed that the browser cookies need to be manually cleared from time to time (e.g.: after a new dashboard is deployed), so the question is whether the current behaviour is correct: we should verify that with the JWT token expiration (TTL).
How reproducible¶
This should be tested by setting a very low JWT TTL: ceph dashboard set-jwt-token-ttl 120
(seconds).
After 2 minutes logged in, the cookie/JWT should expire and the user should be logged of.
The log-in shouldn't require manually deleting the cookie: it should be a regular log-in operation.
Updated by Avan Thakkar about 3 years ago
I tried the reproducing steps and I was logged out after 120s, so doesn't seem to any issue here.
Updated by Avan Thakkar about 3 years ago
- Status changed from In Progress to Can't reproduce
Updated by Ernesto Puerta about 3 years ago
- Project changed from mgr to Dashboard
- Category changed from 145 to Security & Auth
Actions