Keep session alive

Support
1

Question?

I am looking for a way to extend Pomerium session automatically if the user is active.
Currently, I am using the default cookie expiration: 14h. I would like to be able to close sooner the user session if the user is not active. I thought about reducing the cookie expiration to 1h but then the user has to login again every 1h.

Ideally, I would like to logout the user after 1h of inactivity or after a day. This would force the user to authentication again every day and also reduce the risk of session staying open if the user does not use the application.

Does Pomerium support such functionality ?

What’s your environment like?

  • Pomerium version: v0.14.2
  • Linux container inside a Kubernetes cluster
  • Traefik is used as Ingress controller
  • Pomerium is used for forward auth from Traefik
  • Keycloak is used as Identity Provider for Pomerium

What’s your config.yaml?

shared_secret: XXXXX
address: :80
insecure_server: true
policy:
- from: https://myapp.external
  to: http://myapp.internal:8080
  allowed_domains:
  - mydomain.com
authenticate_service_url: https://pomerium-authenticate.external
cookie_secret: YYYYY
idp_client_id: keycloak-idp
idp_client_secret: ZZZZZ
idp_provider: oidc
idp_provider_url: https://keycloak.external
idp_qps: 0
authorize_service_url: http://pomerium-authorize.internal
forward_auth_url: http://pomerium-proxy.internal
databroker_service_url: http://pomerium-cache.internal
databroker_storage_type: memory

I am also open to other solutions that could logout the user automatically after a period of inactivity.

2

Thanks for the post @Nicolas . In short, not today but this should be doable and is a reasonable feature request.

That is correct. Currently, Expiration of a user’s session sets the max lifetime of not only the cookie (stored locally in a clients browser), but the maximum duration that Pomerium will attempt to refresh and keep valid a given user’s session.

We discussed the functionally today as a team today and it should be possible.

Just to clarify, would your ideal functionality be that today’s Expiration act as an absolute maximum a user session would be valid for (e.g. 2 weeks) and a new setting Expires_after_inactivity (or something better named :wink: ) dictate how long an inactive session be good for (e.g. expires after 8 hours of no user interaction)?

If that’s correct, to make sure that we accurately capture your user stories, do you mind following up with a feature request and link back to this issue.

3

@Nicolas – An earlier request that is very similar.

4

Thanks @bobby for the answer, I am checking with my Product Managers to define our expected behavior. I feel like your suggestion with an absolute expiration and a inactivity expiration could work out.

I assume that from Pomerium point of view, inactivity means that no call to a protected service is made. Am I correct ?
If this is the case, and we would like to keep the session alive even if the user is only active in the UI without any backend calls, I imagine that having a “keep alive” backend call triggered on schedule would be enough to refresh the Pomerium session. Could you confirm ?

When the session is refreshed, will the cookie be refreshed transparently for the end user ?

I’ll update the feature request as soon as we define our full expected behavior.

5

Thanks @bobby for the answer, I am checking with my Product Managers to define our expected behavior

Sounds good.

I assume that from Pomerium point of view, inactivity means that no call to a protected service is made. Am I correct ?

Yes.

If this is the case, and we would like to keep the session alive even if the user is only active in the UI without any backend calls, I imagine that having a “keep alive” backend call triggered on schedule would be enough to refresh the Pomerium session. Could you confirm ?

Yes, that should do the trick. As long as something is “polling” a the pomerium protected backend, the session should be kept alive if we implemented this capability.

When the session is refreshed, will the cookie be refreshed transparently for the end user ?

That’s a trickier question. If we implemented keep-alive, I would argue that session cookies could be much longer lived without compromising any security (indeed, I think it would be totally fine to set no expiration, or a very long out expiration on the session cookie itself) in this model since activity is kept more reliably by the backend system.

I’ll update the feature request as soon as we define our full expected behavior.

:+1:

6

I’d also be interested in such a feature, allowing us to push the default cookie expiration to a week or two.

Our old auth solution simply returned 403s, which were easy to catch in client code. It’s proving more difficult than expected to catch pomerium’s redirect attempts using the JavaScript fetch() API, especially when CORS on the IDP is involved. Not pomerium’s fault (we need to learn front-end better), but this feature would help our transition.

1 Like