Reset LOGIN_TIMEOUT countdown on each web request

[koratfood]

NetBox version

v2.11.10

Feature type

Change to existing functionality

Proposed functionality

I would like to propose that we make LOGIN_TIMEOUT an inactivity timer (i.e. log out users who do not send any new requests before the timer runs out), instead of a "time since user last entered their credentials" timer which it currently is.

Based on a few simple web searches, I have found that this can be easily achieved by appending "SESSION_SAVE_EVERY_REQUEST = True" to settings.py (possibly via configuration.py and getattr to make it optional). Based on my own tests, this appears to make Netbox behave exactly as I prefer. However, I have no experience with Django, and I am not a developer. Thus, I am not sure whether this - should you find the change to be conceptually acceptable for Netbox - would be a sensible or acceptable implementation.

Use case

This would make it easier for admins to use a lower LOGIN_TIMEOUT value and thus log out inactive users, without the risk of bothering active users with re-authentication while they are actively working and navigating the UI.

Database changes

No response

External dependencies

No response

[jeremystretch]

For context, NetBox's LOGIN_TIMEOUT configuration parameter is actually a wrapper around Django's SESSION_COOKIE_AGE setting. This controls the lifetime of the session cookie at the time of login, and it does not get updated until the cookie expires and the user is forced to re-authenticate by logging in again.

I have found that this can be easily achieved by appending "SESSION_SAVE_EVERY_REQUEST = True"

The impact of this is writing to the database or session file (depending on how NetBox is configured) on every request, whether or not any data has been modified. This can impose a significant performance impact in highly active deployments, so it's probably not something we want to turn on by default. Seems like the best route here would be a new configuration parameter to allow the admin to toggle the behavior.

[koratfood]

I see. Thanks for helping me understand. Would be great to have it available as an option in configuration.py if that is acceptable.

[DanSheps]

I think that is a reasonable change, and fairly simple to accomplish.

[koratfood]

If this one gets accepted, please feel free to assign it to me, and I can post a PR. Thanks.

[jeremystretch]

What's the proposed configuration parameter name? SESSION_SAVE_EVERY_REQUEST seems a bit unwieldy IMO.

[koratfood]

I agree. Here is a suggestion, including comments:

# Setting this to True will re-write users' login sessions on every page request, thus restarting the LOGIN_TIMEOUT
# countdown and relieving active users from re-authentication. This imposes a performance impact, and should be
# used with caution in highly active deployments.
KEEP_ACTIVE_USERS_LOGGED_IN = False

Or, to be slightly more technical about it, maybe KEEP_ACTIVE_SESSIONS_ALIVE ?
I find it hard to come up with a more self-explanatory parameter name without making it too verbose.