Change session timeout to an idle timeout value

Add a new config SESSION_REFRESH (default True) which
turns SESSION_TIMEOUT into an idle timeout rather than
a hard timeout.

The existing hard timeout is awful UX, and while
SESSION_TIMEOUT could be set to a higher value, it
still makes for a somewhat unpleasant experience.

Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: Icc6942e62c4e8d2fac57988b0a2233a8073b1944

1 files changed, 11 insertions, 3 deletions

diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py
index 2619acd85..b168ae41f 100644
--- a/openstack_dashboard/settings.py
+++ b/openstack_dashboard/settings.py
@@ -203,9 +203,17 @@ SESSION_COOKIE_HTTPONLY = True
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 SESSION_COOKIE_SECURE = False
 
-# SESSION_TIMEOUT is a method to supersede the token timeout with a shorter
-# horizon session timeout (in seconds).  So if your token expires in 60
-# minutes, a value of 1800 will log users out after 30 minutes
+# Control whether the SESSION_TIMEOUT period is refreshed due to activity. If
+# False, SESSION_TIMEOUT acts as a hard limit.
+SESSION_REFRESH = True
+
+# This SESSION_TIMEOUT is a method to supercede the token timeout with a
+# shorter horizon session timeout (in seconds). If SESSION_REFRESH is True (the
+# default) SESSION_TIMEOUT acts like an idle timeout rather than being a hard
+# limit, but will never exceed the token expiry. If your token expires in 60
+# minutes, a value of 1800 will log users out after 30 minutes of inactivity,
+# or 60 minutes with activity. Setting SESSION_REFRESH to False will make
+# SESSION_TIMEOUT act like a hard limit on session times.
 SESSION_TIMEOUT = 3600
 
 # When using cookie-based sessions, log error when the session cookie exceeds