When closing down the browser the portal session stays alive causing the user being logged in when he restarts the browser (while the session is not expired). This seems not to be the expected behaviour for the user (unless he explicitly chose an option like "keep me logged in"), even though Ingo told me it works as designed. For customers we require at least the option to define a system wide setting that changes the sessions behaviour, so the session cookie gets invalidated when the browser is closed. Still there should be a timeout of the session itself, but that would need to be checked by the backend. In an additional step there could be a third system-wide option offered like "keep me logged in", where the user can select during the login process to keep the session alive, even when the browser is closed. This session would stay alive for a also system wide defined number of days.
This issue is about the Portal *and* UMC session managed by "UMCSessionId". The current behaviour stays the default behaviour so the updated doesn't impose a functional change onto existing customer instances. We would need an UCR variable that allows to set the new behaviour. I understood that there is actually a session timeout managed in the backend, so we really only need the option to switch the UMCSessionId cookie to be a real session cookie that gets purged when the browser is closed. See also https://forge.univention.org/bugzilla/show_bug.cgi?id=52873 for the SAML side of things.
[4.4-8 0523fc321d] Bug #52353: Login cookie can now be configured to be deleted when browser is closed 2 files changed, 16 insertions(+), 4 deletions(-) (+ Changelog + YAML) [umc/http/session/cookie] If set, the the login cookie is a session cookie: Closing the browser will delete the cookie, effectively logging out the user. Also tested with SAML. Package: univention-management-console Version: 11.0.6-12A~4.4.0.202106240018 Branch: ucs_4.4-0 Scope: errata4.4-8
I will cherry-pick 0523fc321d for 5.0-0 once the bug is verified for 4.4-8.
(In reply to Dirk Wiesenthal from comment #3) > I will cherry-pick 0523fc321d for 5.0-0 once the bug is verified for 4.4-8. Since UCS 5.0 is release you have to clone the bug.
[4.4-8 2757e5c334] Bug #52353: Rename UCRV 2 files changed, 2 insertions(+), 2 deletions(-) umc/http/session/cookie -> umc/http/enforce-session-cookie Package: univention-management-console Version: 11.0.6-13A~4.4.0.202106241201 Branch: ucs_4.4-0 Scope: errata4.4-8
OK: UCR Variable naming OK: cookies are send as session-cookie without expiry date OK: UMCLang cookie is still a 5-years cookie
<https://errata.software-univention.de/#/?erratum=4.4x1035>