Skip to content

Commit 48a5580

Browse files
fdevansfdevans
authored
Merge pull request #1700 from rundeck/session-expire-feature-docs
Update docs Session Timeouts and Force ReAuthentication
2 parents 10a319b + fccbb19 commit 48a5580

File tree

1 file changed

+40
-2
lines changed

1 file changed

+40
-2
lines changed

docs/administration/configuration/config-file-reference.md

Lines changed: 40 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -235,10 +235,48 @@ used. Specified from [jaas-loginmodule.conf](#jaas-loginmodule-conf).
235235

236236
## Session timeout
237237

238-
See [rundeck-config.properties > Server Settings](#server-settings)
238+
Session Timeout Behavior:
239239

240-
Or set `server.servlet.session.timeout` via [System Properties Configuration](/administration/configuration/system-properties.md).
240+
- **Activity-based timeout**: Under normal operations, sessions time out based on inactivity using the value defined in `server.servlet.session.timeout` (default: 3600 seconds).
241+
- **Forced re-authentication**: When `rundeck.userSessionDuration.forceReauthentication` is enabled, sessions will expire after the duration defined in `rundeck.userSessionDuration.maxMinutes`, regardless of user activity.
242+
- **Default values**: When `rundeck.userSessionDuration.forceReauthentication` is enabled and `rundeck.userSessionDuration.maxMinutes` isn't specified, the default `userSessionDuration.maxMinutes` is 60 minutes.
241243

244+
:::tip
245+
Beware that using the forced re-authentication feature may result in data loss if jobs are not saved when the session is invalidated.
246+
:::
247+
248+
### Inactivity Timeout
249+
250+
To configure the inactivity timeout use `server.servlet.session.timeout`. The default is 3600 seconds.
251+
252+
Example configurations:
253+
254+
```properties
255+
# Standard activity-based timeout (2 hours)
256+
server.servlet.session.timeout=7200
257+
```
258+
259+
Also see [rundeck-config.properties > Server Settings](#server-settings)
260+
261+
### Forced re-authentication (Commercial Products Only)
262+
263+
It is also possible to force re-authentication regardless of activity levels.
264+
265+
- `rundeck.userSessionDuration.maxMinutes`: Maximum duration in minutes for user sessions. Default: 60 minutes.
266+
- `rundeck.userSessionDuration.forceReauthentication`: Default: `false`. When set to `true`, enforces session timeout regardless of user activity. When set to `false` (default), no forced re-authentication occurs and sessions only time out based on inactivity.
267+
268+
All of these can be set via [System Properties Configuration](/administration/configuration/system-properties.md) or in `rundeck-config.properties`.
269+
270+
Example configurations:
271+
272+
```properties
273+
# Force reauthentication after 8 hours regardless of activity
274+
rundeck.userSessionDuration.maxMinutes=480
275+
rundeck.userSessionDuration.forceReauthentication=true
276+
277+
# Force reauthentication regardless of activity with default 60-minute timeout
278+
rundeck.userSessionDuration.forceReauthentication=true
279+
```
242280
## rundeck-config.properties
243281

244282
This is the primary Rundeck webapp configuration file. Defines default

0 commit comments

Comments
 (0)