boundary icon indicating copy to clipboard operation
boundary copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Boundary App Indefinite Session Time

Open pwill1 opened this issue 2 years ago • 2 comments
trafficstars

Describe the bug The Boundary app session does not have an expiration date and remains active indefinitely. However, if the user doesn't use the app for 24 hours and then tries to access it, they will not be prompted to authenticate. This can be a potential security issue, and it is recommended to prompt users to authenticate after a certain period of inactivity to enhance security.

I followed the documentation here you can change this via auth_token_time_to_stale and set time to 4 hours but it seems to only take effect on web UI, the changes did not affect the application.

image

To Reproduce

  1. change via auth_token_time_to_stale
  2. Set time to preferred duration
  3. Monitor app after the time expires for auto-logout

Additional context I have tested this on both prod and sandbox and produces the same result

pwill1 avatar Feb 24 '23 19:02 pwill1

Hi @pwill1, just to ensure we have the correct reproduction steps, can you send the following information:

  • What version of Boundary are you running?
  • On what interface are you experiencing this issue? The CLI? Desktop Client? I want to make sure I understand what you mean by "monitor the app".

The screenshot you shared shows a 403 error indicating the user does not have permission to access the web ui pages, suggesting the token expiration is being enforced appropriately.

Appreciate your help!

covetocove avatar Feb 24 '23 20:02 covetocove

@PPacent See responses below

  • Boundary Version on both sandbox and production: 0.11.2
  • Issue is related to the Boundary Desktop Client

pwill1 avatar Feb 24 '23 20:02 pwill1