SonarQube cookie expiration

SonarQube v7.9.1 LTS

Once I login to SonarQube with Active Directory credentials and close the browser, I remain logged-in after opening the browser again. I am not sure what is the default cookie validity/lifetime expiration set by SonarQube. But is there a way to reduce the cookie expiration time and to clean the SonarQube cookie once the browser has been closed ?

Hey @ankurja,

As the <SONARQUBE_PATH>/conf/sonar.properties says:

# The inactivity timeout duration of user sessions, in minutes. After the configured
# period of time, the user is logged out.
# The default value is set to 3 days (4320 minutes)
# and cannot be greater than 3 months. Value must be strictly positive.
#sonar.web.sessionTimeoutInMinutes=4320

So you can change this value and make it shorter (even really short as the cookie expiration date will be updated each time the user does an action, so it’s an inactivity timer, not a session timer). Sessions will also be ended when SonarQube is restarted.
I’m not a Web developer myself, but I don’t think there is way, from the server side, to know when the browser is closed, then end the session. Hence the inactivity timeout parameter.

I hope this helps.

Hi @Antoine, I tried using this property to set the timeout as 5 minutes. It sets the session cookie correctly to expire in 5 minutes but it is not working the way you documented. It does not work as inactivity timer. Cookie expiration time does not get reset even though I keep using SonarQube. Once I login and cookie time is set, the time never gets updated. Finally it throws me out after 5 minutes of my initial login time. How to fix this ?

@Antoine, any update on this ?

Hello @ankurja,

Well I’m not sure what could happen, look here I made a quick screencast on my local 7.9.3 instance, and cookie expiration is reset at each query.

Did you try in incognito mode to avoid cache issues, with another broswer maybe?

Hi @Antoine, Tried in incognito mode and also in other browsers (Firefox, Chrome), behavior is same. Expiration time does not change at all.
I even tried with the latest SonarQube version (8.2.0) and no change…I am not sure what’s going on. Am I missing something or doing something wrong ?
All I have done is to set sonar.web.sessionTimeoutInMinutes=5 in sonar.properties.
I have recorded a video too.

Hello @ankurja,

I did some tests and I think I get it. As you can see in our source code here, expiration dates will be refreshed every 5 minutes only. Consequently sonar.web.sessionTimeoutInMinutes must be greater than that, otherwise no refresh will happen before you are logged out. Then you should use 6 minutes at least. (and on our side, we will likely document that point)


Now you will realize that after 5 minutes, expiration dates are refreshed at every query, not every 5 minutes as explained above. This might be a bug we are investigating. Though the first point stays valid, and this bug does not prevent the expiration mechanism to work well (it just uselessly refreshs more often than expected).

I hope it makes things clearer.

1 Like

Thanks @Antoine for further investigation.

I tested it and does work the way you described. One issue though.

This time I set sessionTimeoutInMinutes as 20 minutes.

15:14:58 GMT -> First log in made
15:34:58 GMT -> Cookie expiration time set by SonarQube

Keep browsing in SQ till 15:19:00 GMT approx (Till anytime before first 5 minutes completes and not after that).
User will be logged out at the original expiry time -> 15:34:58 GMT. Isn’t the wrong behavior ?

But yes, after the first 5 minutes expires and “if the user is still browsing in SonarQube”, the cookie expiration time does get refresh automatically on every single click.

Funny, I also caught it but thought you wouldn’t notice :slight_smile:
You’re right, technically the worst scenario is to be logged-out after (sonar.web.sessionTimeoutInMinutes - 5) minutes. Though, usually this value is set for several days, at least several hours, so 5 minutes does not matter much.

In that sense, I won’t call it a wrong behavior, just an implementation detail!

That was the first thing I wanted to test after reading your reply @Antoine :wink:

About the timeout, well, OWASP recommends “Common idle timeouts ranges are 2-5 minutes for high-value applications and 15-30 minutes for low risk applications.”

It is open for interpretation though whether one considers SonarQube as high-value or low risk application considering that entire source code can be accessed through the “Code” tab. But setting 3 days as the default timeout seems too much to me.

1 Like

Hello @ankurja,
I thought you would like to know that this behaviour is currently being reviewed on our SonarCloud product as we are experiencing something similar. As is normal practice, we will share our findings, and any changes we make, with our SonarQube buddies. I hope this helps?

Thanks @Mark_Clements, good to know that this is being reviewed.

Hello @ankurja,

Let me thank you for your original report because it finally end up with 2 improvement tickets on SonarQube :slight_smile: :

  • SONAR-13373: Clarify that sonar.web.sessionTimeoutInMinutes will not work if lower than 5mins
  • SONAR-13372: User JWT Token refresh occurs with every HTTP request instead of every 5 minutes

For the default expiration time, we are also reviewing it, but it’s a broader topic so there is no immediate action (it’s not only about expiration time). Likely this will be improved later as well.

Thank you

Thanks @Antoine for keeping me informed. I am glad I could contribute towards improving the quality of this wonderful product !

4 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.