Currently we don't set any values for xpack.security.session.{lifespan|idleTimeout} by default and hence users sessions stay active until the browser is closed.
It's widely accepted that infinite sessions (browsers may stay open for months) are suboptiomal and with introducing of server-side sessions in #68117 such sessions may introduce technical challenges since there won't be any criterion we can rely on to automatically invalidate such sessions as a part of the cleanup routine. Such sessions will be removed from the Elasticsearch index only if user explicitly logs out unless we provide an admin UI to do that through Kibana (although possible, but unlikely in the nearest future).
Elasticsearch API keys, by default, never expire. But these serve a different purpose and cannot be used as a reference here.
Default expiration time for Elasticsearch tokens is 20 minutes and maximum lifetime is 1 hour.
We don't need to be that aggressive, but we must suggest reasonable non-infinite defaults. Ideally for both idleTimeout and lifespan, but I don't have a strong opinion on that or the values we should pick. The more or less relaxed version I can think of is:
xpack.security.session.idleTimeout: 1h or 2h
xpack.security.session.lifespan: 30d or disabled by default like it's now
It'd be a breaking change, so the earliest version we can do that in is 8.0.0.
What do you think @elastic/kibana-security?
Blocked by: #53478, #22374
Currently we don't set any values for
xpack.security.session.{lifespan|idleTimeout}by default and hence users sessions stay active until the browser is closed.It's widely accepted that infinite sessions (browsers may stay open for months) are suboptiomal and with introducing of server-side sessions in #68117 such sessions may introduce technical challenges since there won't be any criterion we can rely on to automatically invalidate such sessions as a part of the cleanup routine. Such sessions will be removed from the Elasticsearch index only if user explicitly logs out unless we provide an admin UI to do that through Kibana (although possible, but unlikely in the nearest future).
Elasticsearch API keys, by default, never expire. But these serve a different purpose and cannot be used as a reference here.
Default expiration time for Elasticsearch tokens is 20 minutes and maximum lifetime is 1 hour.
We don't need to be that aggressive, but we must suggest reasonable non-infinite defaults. Ideally for both
idleTimeoutandlifespan, but I don't have a strong opinion on that or the values we should pick. The more or less relaxed version I can think of is:It'd be a breaking change, so the earliest version we can do that in is 8.0.0.
What do you think @elastic/kibana-security?
Blocked by: #53478, #22374