Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explain the logout reason to the user when the concurrent session limit is exceeded #149532

Closed
azasypkin opened this issue Jan 25, 2023 · 1 comment · Fixed by #152949
Closed

Explain the logout reason to the user when the concurrent session limit is exceeded #149532

azasypkin opened this issue Jan 25, 2023 · 1 comment · Fixed by #152949
Assignees
@thomheymann
Labels
enhancement New value added to drive a business result Feature:Security/Session Management Platform Security - Session Management Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@azasypkin
Copy link
Member

azasypkin commented Jan 25, 2023
edited by legrego
Loading

Summary

It's a follow-up for #145099 and a part of #18162.

In the scope of this issue we should investigate & implement if it's possible to explain the logout reason to the user when the concurrent session limit is exceeded. There are two possible scenarios when user's session might be invalidated because of the exceeded concurrent session limit:

  • During regular cleanup background job - in this case we cannot give user exact reason why their session is no longer valid (user has a cookie, but there is no session document anymore and it's impossible to know why the session document doesn't exist)
  • During user authentication - in this case we know the reason for the logout and we can explain it to the user.
@azasypkin azasypkin added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result Feature:Security/Session Management Platform Security - Session Management labels Jan 25, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@azasypkin azasypkin mentioned this issue Jan 25, 2023
Closed
@thomheymann thomheymann self-assigned this Mar 8, 2023
@thomheymann thomheymann mentioned this issue Mar 8, 2023
Merged
thomheymann added a commit that referenced this issue Mar 21, 2023
@thomheymann
Add concurrent session limit logout message (#152949)
682aee3 
Resolves #149532

## Summary

Explain logout reason when current session limit has been reached. 

## Screenshot

<img width="498" alt="Screenshot 2023-03-08 at 18 03 43"
src="https://user-images.githubusercontent.com/190132/223793779-b3c0893e-3974-4a07-a81b-a5b0de5086a5.png">

## Testing

1. Configure concurrent session limit:

```yaml
xpack.security.session.concurrentSessions:
  maxSessions: 1
```

2. Log into Kibana
3. Open a private browsing window and login again with the same user
4. Go back to the first window and navigate to a different page
5. This will log the user out showing the concurrent session limit
message
nkhristinin pushed a commit that referenced this issue Mar 22, 2023
@thomheymann @nkhristinin
Add concurrent session limit logout message (#152949)
7131f7f 
Resolves #149532

## Summary

Explain logout reason when current session limit has been reached. 

## Screenshot

<img width="498" alt="Screenshot 2023-03-08 at 18 03 43"
src="https://user-images.githubusercontent.com/190132/223793779-b3c0893e-3974-4a07-a81b-a5b0de5086a5.png">

## Testing

1. Configure concurrent session limit:

```yaml
xpack.security.session.concurrentSessions:
  maxSessions: 1
```

2. Log into Kibana
3. Open a private browsing window and login again with the same user
4. Go back to the first window and navigate to a different page
5. This will log the user out showing the concurrent session limit
message
tsullivan pushed a commit to tsullivan/kibana that referenced this issue Mar 22, 2023
@thomheymann @tsullivan
Add concurrent session limit logout message (elastic#152949)
963fedb 
Resolves elastic#149532

## Summary

Explain logout reason when current session limit has been reached. 

## Screenshot

<img width="498" alt="Screenshot 2023-03-08 at 18 03 43"
src="https://user-images.githubusercontent.com/190132/223793779-b3c0893e-3974-4a07-a81b-a5b0de5086a5.png">

## Testing

1. Configure concurrent session limit:

```yaml
xpack.security.session.concurrentSessions:
  maxSessions: 1
```

2. Log into Kibana
3. Open a private browsing window and login again with the same user
4. Go back to the first window and navigate to a different page
5. This will log the user out showing the concurrent session limit
message
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thomheymann thomheymann

Labels
enhancement New value added to drive a business result Feature:Security/Session Management Platform Security - Session Management Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add concurrent session limit logout message thomheymann/kibana
3 participants
@thomheymann @azasypkin @elasticmachine