Skip to content

Support for maximum session lifetime#49

Open
alitheg wants to merge 6 commits intoapache:mainfrom
alitheg:patch-1
Open

Support for maximum session lifetime#49
alitheg wants to merge 6 commits intoapache:mainfrom
alitheg:patch-1

Conversation

@alitheg
Copy link

@alitheg alitheg commented Feb 2, 2026

We implemented a maximum session lifetime as part of the Trusted Releases platform, but thought we should contribute it back. Feedback welcome!

@gstein
Copy link
Member

gstein commented Feb 2, 2026

I implemented cookie/session lifetimes in infrastructure-idm ... I believe that the lifetime is an application concern, rather than a parameter to the .read() method. To this end, I'd suggest something in config.yaml and/or a parameter when the app is constructed, which is then used to restrict all session lifetimes regardless of .read() usage.

And to be clear: the quart session cookie has an HMAC on it, to prevent tampering. That is the purpose of secret_key. (IDM didn't have asfquart, so it was doing the HMAC on its own)

@alitheg alitheg mentioned this pull request Feb 2, 2026
Open
@alitheg
Copy link
Author

alitheg commented Feb 2, 2026

I've put it in there as a config parameter instead of an argument. In ATR we load our config programmatically (app.config.from_object(app_config)) and I thought it would be less clean to pass one of the app_config properties into asfquart.construct before then passing the whole config in again once the app exists.

@alitheg alitheg mentioned this pull request Feb 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alitheg @gstein