Hi team, I set up SAML based SSO for our SonarQube instances running the community version 9.9.3. Things are working fine, but I noticed the SSO session cookie survives browser restarts meaning I don’t have to re-authenticate myself when I restart my browser. I can use sonar.web.sessionTimeoutInMinutes to set the inactivity timeout duration of user sessions. Is there a way to invalidate the session cookie when a browser is restarted? Thanks
Hey @David_Yi
I don’t think this is possible today since sonar.web.sessionTimeoutInMinutes has a minimum value of 6 (and I doubt anybody who wrote this very old piece of code is around to explain why that’s the minimum).
What you’re asking for makes sense to me in the context of a high-security environment, which I assume you’re in.
It might be possible to rewrite the cookie expiration at the reverse proxy level (leaving it empty, to become a session cookie), but I haven’t tried that out myself.
In any case, I’ll flag this idea for attention.
Hi @Colin, thanks for getting back to me! It would be great if you could try it out with a popular reverse proxy like Nginx. That would benefit a lot of your users. Thanks