diff --git a/conf/defaults.ini b/conf/defaults.ini index 60fa25e4bce..244cb7346a6 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini @@ -122,6 +122,9 @@ cookie_username = grafana_user # How many days an session can be unused before we inactivate it login_remember_days = 7 +# How often should the login token be rotated. default to '30m' +rotate_cookie_every = 30m + # How long should Grafana keep expired tokens before deleting them delete_expired_token_after_days = 30 diff --git a/conf/sample.ini b/conf/sample.ini index 96b92db6f48..29f136fa341 100644 --- a/conf/sample.ini +++ b/conf/sample.ini @@ -102,6 +102,28 @@ log_queries = # For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared) ;cache_mode = private +#################################### Login ############################### + +[login] + +# Login cookie name +;cookie_name = grafana_session + +# If you want login cookies to be https only. default is false +;cookie_secure = false + +# Logged in user name +;cookie_username = grafana_user + +# How many days an session can be unused before we inactivate it +;login_remember_days = 7 + +# How often should the login token be rotated. default to '30m' +;rotate_cookie_every = 30m + +# How long should Grafana keep expired tokens before deleting them +;delete_expired_token_after_days = 30 + #################################### Session #################################### [session] # Either "memory", "file", "redis", "mysql", "postgres", default is "file" diff --git a/pkg/services/auth/auth_token.go b/pkg/services/auth/auth_token.go index c04389ab557..a6a0cad89e3 100644 --- a/pkg/services/auth/auth_token.go +++ b/pkg/services/auth/auth_token.go @@ -23,7 +23,6 @@ func init() { var ( getTime = time.Now - RotateTime = 2 * time.Minute UrgentRotateTime = 20 * time.Second oneYearInSeconds = 31557600 //used as default maxage for session cookies. We validate/rotate them more often. ) @@ -219,7 +218,7 @@ func (s *UserAuthTokenServiceImpl) RefreshToken(token *userAuthToken, clientIP, needsRotation := false rotatedAt := time.Unix(token.RotatedAt, 0) if token.AuthTokenSeen { - needsRotation = rotatedAt.Before(now.Add(-RotateTime)) + needsRotation = rotatedAt.Before(now.Add(-s.Cfg.LoginCookieRotation)) } else { needsRotation = rotatedAt.Before(now.Add(-UrgentRotateTime)) } diff --git a/pkg/services/auth/auth_token_test.go b/pkg/services/auth/auth_token_test.go index a34dbc673e6..22a126fa7c5 100644 --- a/pkg/services/auth/auth_token_test.go +++ b/pkg/services/auth/auth_token_test.go @@ -297,11 +297,11 @@ func createTestContext(t *testing.T) *testContext { LoginCookieSecure: false, LoginCookieMaxDays: 7, LoginDeleteExpiredTokensAfterDays: 30, + LoginCookieRotation: 10 * time.Minute, }, log: log.New("test-logger"), } - RotateTime = 10 * time.Minute UrgentRotateTime = time.Minute setting.LogInRememberDays = 7 diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go index 66710c8e190..f6dc154235a 100644 --- a/pkg/setting/setting.go +++ b/pkg/setting/setting.go @@ -229,6 +229,7 @@ type Cfg struct { LoginCookieUsername string LoginCookieSecure bool LoginCookieMaxDays int + LoginCookieRotation time.Duration LoginDeleteExpiredTokensAfterDays int } @@ -560,6 +561,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error { cfg.LoginCookieSecure = login.Key("cookie_secure").MustBool(false) cfg.LoginCookieUsername = login.Key("cookie_username").MustString("grafana_username") cfg.LoginDeleteExpiredTokensAfterDays = login.Key("delete_expired_token_after_days").MustInt(30) + cfg.LoginCookieRotation = login.Key("rotate_cookie_every").MustDuration(time.Minute * 30) Env = iniFile.Section("").Key("app_mode").MustString("development") InstanceName = iniFile.Section("").Key("instance_name").MustString("unknown_instance_name")