Session timeout notification #12093
Session timeout notification #12093
Conversation
DryRun Security SummaryA patch implements a session expiry notification feature with context processor and frontend modal, addressing potential session management vulnerabilities while using Django's built-in session management and XSS mitigation techniques. Expand for full summarySummary: A patch introduces a new session expiry notification feature across multiple files, adding a context processor, configuration settings, and a frontend modal to warn users about session timeouts. Security Findings:
No critical security vulnerabilities were identified in the provided summaries. Code AnalysisWe ran
Overall Riskiness🔴 Risk threshold exceeded. We've notified @mtesauro, @grendel513. |
dojo/context_processors.py
Outdated
| return {} | ||
| else: | ||
| return { | ||
| "session_expiry_time": expiry_time, |
There was a problem hiding this comment.
expiry time doesn't appear to ultimately be used -- can it just be removed from here?
There was a problem hiding this comment.
Good catch! Done.
dojo/templates/base.html
Outdated
|
|
||
| function session_notifcation() { | ||
| var warningTime = "{{ session_notify_time|default:0|escapejs }}"; // When the warning will show | ||
| var expiryTime = "{{ session_expiry_time|default:0|escapejs }}"; // When the session will expire |
There was a problem hiding this comment.
This var is unused and can be removed.
|
Hi @kevin-vuong99 this one ended up breaking unit tests once it got fully into the dev branch. For the sake of getting the release out today, I am reverting this PR. I am not sure exactly why tests did not fail on this PR directly.. Sometimes there are conflicting features on separate branches (sometimes by different contributors) and when they are introduced, we find that the two PRs do not work well together. Here are some of the errors that are occurring: Browser: Unit test failures: |
Hi @Maffooch, do you know what would the next steps be for this? |
|
Will need to create a new PR, and if tests fail, do whatever it takes to make them pass. If tests do not fail, then we'll need to figure out what that looks like. Please be sure to update your branch with the latest version of the dev branch before starting, as that seemed to have an impact here |
Re-creation of #12054
Description
Issue: Session timeout without letting the user either extend the time or have any type of indication that the session is about to expire.
A warning will appear shortly before the session expires using Bootstrap's modal components warning the user their session will expire soon.
Impact on Users
People with physical disabilities often need more time to react, to type and to complete activities. People with low vision need more time to locate things on screen and to read. People who are blind and using screen readers may need more time to understand screen layouts, to find information and to operate controls. People who have cognitive or language limitations need more time to read and to understand. People who are deaf and communicate in sign language may need more time to read information printed in text (which may be a second language for some).
In circumstances where a sign-language interpreter may be relating audio content to a user who is deaf, control over time limits is also important.
People with reading disabilities, cognitive limitations, and learning disabilities who may need more time to read or comprehend information can have additional time to read the information by pausing the content.
Remediation
The user is warned before time expires.
I used a context processor to pass the session cookie age value to base.html. Since no view directly renders base.html, I didn't think I could use a view-based approach. If there is a better idea, I can modify the PR.