guacamole-client icon indicating copy to clipboard operation
guacamole-client copied to clipboard
verified publisher icon apache

GUACAMOLE-2138: Add connection-timeout parameter

Open tkuhlengel opened this issue 3 months ago • 3 comments

Summary

In my company's business use case for Guacamole, for security and auditing purposes, we need to be able to ensure that any idle user is disconnected and logged off within a set period of time of idleness. 

In an ideal version of such a system, we would do the following. 

  1. Check if the user has interacted with the connection in the last X minutes, or if an active SFTP transfer is happening on the connection.
  2. If not, terminate the user connection after X minutes of inactivity. 
  3. If they remain idle, the Guacamole idle timer will log them out after the pre-configured login idle timeout.

This requires a lot of conditionals and would be more difficult to implement and maintain in an ongoing project like Guacamole. 

A more practical, yet sufficient, version is:

  1. The Administrator sets a maximum duration for any connection, specified in minutes. 
  2. Any connection that exceeds that duration, regardless of activity, is terminated while the user remains logged in.  They are free to reconnect if the user is still active. 
  3. The login idle timeout starts when the connection ends. 

This second option meets our business needs, and we would like to share it with others. 

Features

  • Add parameter connection-timeout in guacamole.properties, disconnecting users after connection-timeout minutes. Defaults to 0, disabling the feature.
  • Implement the connection timeout using a Map that stores the creation time of the connection.
  • Integrate the connection timeout check into the existing idle timeout function.

tkuhlengel avatar Sep 16 '25 19:09 tkuhlengel

I think this is the full "whole-server" version I have for now, addressing the comments above.

I saw your comments about adding feedback to guacd. Is that something I would need to implement in a guacd pull request for this to be approved?

tkuhlengel avatar Oct 30 '25 15:10 tkuhlengel

I think this is the full "whole-server" version I have for now, addressing the comments above.

I saw your comments about adding feedback to guacd. Is that something I would need to implement in a guacd pull request for this to be approved?

Yes, any sort of feedback look for guacd would require some changes both here and in the guacd code.

necouchman avatar Oct 30 '25 18:10 necouchman

In terms of communication with guacd:

  • Would it be okay to use the SESSION_TIMEOUT error code or should I make my own? Or possibly just use the 'disconnect' handler on the guacd side?
  • If the client needs to send information back to guacd when tunnels are closed, why isn't a message isn't sent tunnel.close() implementations by default?

tkuhlengel avatar Nov 13 '25 18:11 tkuhlengel

In terms of communication with guacd:

  • Would it be okay to use the SESSION_TIMEOUT error code or should I make my own? Or possibly just use the 'disconnect' handler on the guacd side?

I'm tempted to say make another one, because of things I've mentioned above - the implementation, here, isn't so much a "timeout" as it is a limit. To me, "timeout" carries a notion of waiting for something - user interaction, a network response, etc. - and not getting that. In this case, you're actually putting a cap on the session duration regardless of whether the user is active or not, the server is responsive or not, etc.

  • If the client needs to send information back to guacd when tunnels are closed, why isn't a message isn't sent tunnel.close() implementations by default?

I would guess there just hasn't been a need for it in the past. It could probably be added - my only caution would be to make sure that adding it doesn't break compatibility with clients that don't send a message.

necouchman avatar Dec 14 '25 12:12 necouchman