Controlling session timeouts in the Portal

Contents

Controlling session timeouts in the Portal

Overview

To prevent Cross-Site Request Forgery (CSRF), sessions in the Portal are time-limited and protected by secure tokens.

By default, a token remains valid for 8 hours. If you are inactive for more than 8 hours while in a Portal session, your next action in the Portal will redirect you to the login page.

In turn, a session is valid for 24 hours by default. After continuously using the Portal for 24 hours without interruption, the session expires and you are forced to log in again to renew the session.

Setting the value of session timeouts

The validity time for both tokens and sessions is configurable. Remember that the longer the interval, the more vulnerable the Portal is to CSRF attacks.

  1. Log in to the CLI of the Portal appliance.
  2. Optional: If the Portal has no configuration file yet, that is, if portal.conf does not exist in folder /var/nexthink/portal/conf, create it by copying the defaults from the sample configuration file:
    sudo cp /var/nexthink/portal/conf/portal.conf.sample \
    /var/nexthink/portal/conf/portal.conf
  3. Edit the Portal configuration file:
    sudo vi /var/nexthink/portal/conf/portal.conf
  4. Type in the following line to set the value for the validity time of tokens (minimum value is 2 minutes). Use the suffix h to specify the time interval in hours and m to express it in minutes. For example, to set the period to its default value of 8 hours:
    globalconfig.portal.session.token-validity-period = 8 h
  5. Type in the following line to set the value for the validity time of sessions. For example, to set the period to its default value of 24 hours:
    globalconfig.portal.session.maximum-session-lifetime = 24 h
    • Optional: Express it in minutes:
    globalconfig.portal.session.maximum-session-lifetime = 1440 m
  6. Save your changes and exit:
    :wq
  7. Restart the Portal to apply your settings:
    sudo systemctl restart nxportal

Overriding session timeouts

Note that, when creating a user, the user may be granted the privilege of never being timed out. In that case, the values configured for session timeouts do not apply to that user.

Related tasks