Improve session idle timeout, add session lifespan (#49855)

This adds an absolute session timeout (lifespan) to user sessions.
It also improves the existing session timeout toast and the overall
user experience in several ways.

Author: jportner

docs/settings/security-settings.asciidoc

@@ -49,10 +49,16 @@ is set to `true` if `server.ssl.certificate` and `server.ssl.key` are set. Set
 this to `true` if SSL is configured outside of {kib} (for example, you are
 routing requests through a load balancer or proxy).
 
-`xpack.security.sessionTimeout`::
+`xpack.security.session.idleTimeout`::
 Sets the session duration (in milliseconds). By default, sessions stay active
-until the browser is closed. When this is set to an explicit timeout, closing the
-browser still requires the user to log back in to {kib}.
+until the browser is closed. When this is set to an explicit idle timeout, closing
+the browser still requires the user to log back in to {kib}.
+
+`xpack.security.session.lifespan`::
+Sets the maximum duration (in milliseconds), also known as "absolute timeout". By
+default, a session can be renewed indefinitely. When this value is set, a session
+will end once its lifespan is exceeded, even if the user is not idle. NOTE: if
+`idleTimeout` is not set, this setting will still cause sessions to expire.
 
 `xpack.security.loginAssistanceMessage`::
 Adds a message to the login screen. Useful for displaying information about maintenance windows, links to corporate sign up pages etc.

docs/user/security/authentication/index.asciidoc

@@ -188,9 +188,10 @@ The following sections apply both to <<saml>> and <<oidc>>
 
 Once the user logs in to {kib} Single Sign-On, either using SAML or OpenID Connect, {es} issues access and refresh tokens
 that {kib} encrypts and stores them in its own session cookie. This way, the user isn't redirected to the Identity Provider
-for every request that requires authentication. It also means that the {kib} session depends on the `xpack.security.sessionTimeout` 
-setting and the user is automatically logged out if the session expires. An access token that is stored in the session cookie 
-can expire, in  which case {kib} will automatically renew it with a one-time-use refresh token and store it in the same cookie.
+for every request that requires authentication. It also means that the {kib} session depends on the <<security-ui-settings,
+`xpack.security.session.idleTimeout` and `xpack.security.session.lifespan`>> settings, and the user is automatically logged
+out if the session expires. An access token that is stored in the session cookie can expire, in which case {kib} will
+automatically renew it with a one-time-use refresh token and store it in the same cookie.
 
 {kib} can only determine if an access token has expired if it receives a request that requires authentication. If both access
 and refresh tokens have already expired (for example, after 24 hours of inactivity), {kib} initiates a new "handshake" and

docs/user/security/securing-kibana.asciidoc

@@ -56,16 +56,31 @@ xpack.security.encryptionKey: "something_at_least_32_characters"
 For more information, see <<security-settings-kb,Security Settings in {kib}>>.
 --
 
-. Optional: Change the default session duration. By default, sessions stay
-active until the browser is closed. To change the duration, set the
-`xpack.security.sessionTimeout` property in the `kibana.yml` configuration file.
-The timeout is specified in milliseconds. For example, set the timeout to 600000
-to expire sessions after 10 minutes:
+. Optional: Set a timeout to expire idle sessions. By default, a session stays
+active until the browser is closed. To define a sliding session expiration, set
+the `xpack.security.session.idleTimeout` property in the `kibana.yml`
+configuration file. The idle timeout is specified in milliseconds. For example,
+set the idle timeout to 600000 to expire idle sessions after 10 minutes:
 +
 --
 [source,yaml]
 --------------------------------------------------------------------------------
-xpack.security.sessionTimeout: 600000
+xpack.security.session.idleTimeout: 600000
+--------------------------------------------------------------------------------
+--
+
+. Optional: Change the maximum session duration or "lifespan" -- also known as
+the "absolute timeout". By default, a session stays active until the browser is
+closed. If an idle timeout is defined, a session can still be extended
+indefinitely. To define a maximum session lifespan, set the
+`xpack.security.session.lifespan` property in the `kibana.yml` configuration
+file. The lifespan is specified in milliseconds. For example, set the lifespan
+to 28800000 to expire sessions after 8 hours:
++
+--
+[source,yaml]
+--------------------------------------------------------------------------------
+xpack.security.session.lifespan: 28800000
 --------------------------------------------------------------------------------
 --
 

src/dev/build/tasks/os_packages/docker_generator/resources/bin/kibana-docker

@@ -180,6 +180,8 @@ kibana_vars=(
     xpack.security.encryptionKey
     xpack.security.secureCookies
     xpack.security.sessionTimeout
+    xpack.security.session.idleTimeout
+    xpack.security.session.lifespan
     xpack.security.loginAssistanceMessage
     telemetry.enabled
     telemetry.sendUsageFrom

src/legacy/core_plugins/status_page/index.js

@@ -26,6 +26,11 @@ export default function (kibana) {
         hidden: true,
         url: '/status',
       },
+      injectDefaultVars(server) {
+        return {
+          isStatusPageAnonymous: server.config().get('status.allowAnonymous'),
+        };
+      }
     }
   });
 }

src/plugins/status_page/kibana.json

@@ -0,0 +1,6 @@
+{
+  "id": "status_page",
+  "version": "kibana",
+  "server": false,
+  "ui": true
+}

src/plugins/status_page/public/index.ts

@@ -0,0 +1,24 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { PluginInitializer } from 'kibana/public';
+import { StatusPagePlugin, StatusPagePluginSetup, StatusPagePluginStart } from './plugin';
+
+export const plugin: PluginInitializer<StatusPagePluginSetup, StatusPagePluginStart> = () =>
+  new StatusPagePlugin();

src/plugins/status_page/public/plugin.ts

@@ -0,0 +1,39 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { Plugin, CoreSetup } from 'kibana/public';
+
+export class StatusPagePlugin implements Plugin<StatusPagePluginSetup, StatusPagePluginStart> {
+  public setup(core: CoreSetup) {
+    const isStatusPageAnonymous = core.injectedMetadata.getInjectedVar(
+      'isStatusPageAnonymous'
+    ) as boolean;
+
+    if (isStatusPageAnonymous) {
+      core.http.anonymousPaths.register('/status');
+    }
+  }
+
+  public start() {}
+
+  public stop() {}
+}
+
+export type StatusPagePluginSetup = ReturnType<StatusPagePlugin['setup']>;
+export type StatusPagePluginStart = ReturnType<StatusPagePlugin['start']>;

x-pack/legacy/plugins/security/index.js

@@ -29,7 +29,10 @@ export const security = (kibana) => new kibana.Plugin({
       enabled: Joi.boolean().default(true),
       cookieName: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
       encryptionKey: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
-      sessionTimeout: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
+      session: Joi.object({
+        idleTimeout: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
+        lifespan: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
+      }).default(),
       secureCookies: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
       loginAssistanceMessage: Joi.string().default(),
       authorization: Joi.object({
@@ -44,9 +47,10 @@ export const security = (kibana) => new kibana.Plugin({
     }).default();
   },
 
-  deprecations: function ({ unused }) {
+  deprecations: function ({ rename, unused }) {
     return [
       unused('authorization.legacyFallback.enabled'),
+      rename('sessionTimeout', 'session.idleTimeout'),
     ];
   },
 
@@ -89,7 +93,11 @@ export const security = (kibana) => new kibana.Plugin({
 
       return {
         secureCookies: securityPlugin.__legacyCompat.config.secureCookies,
-        sessionTimeout: securityPlugin.__legacyCompat.config.sessionTimeout,
+        session: {
+          tenant: server.newPlatform.setup.core.http.basePath.serverBasePath,
+          idleTimeout: securityPlugin.__legacyCompat.config.session.idleTimeout,
+          lifespan: securityPlugin.__legacyCompat.config.session.lifespan,
+        },
         enableSpaceAwarePrivileges: server.config().get('xpack.spaces.enabled'),
       };
     },

x-pack/legacy/plugins/security/public/hacks/on_session_timeout.js

@@ -7,28 +7,20 @@
 import _ from 'lodash';
 import { uiModules } from 'ui/modules';
 import { isSystemApiRequest } from 'ui/system_api';
-import { Path } from 'plugins/xpack_main/services/path';
 import { npSetup } from 'ui/new_platform';
 
-/**
- * Client session timeout is decreased by this number so that Kibana server
- * can still access session content during logout request to properly clean
- * user session up (invalidate access tokens, redirect to logout portal etc.).
- * @type {number}
- */
-
 const module = uiModules.get('security', []);
 module.config(($httpProvider) => {
   $httpProvider.interceptors.push((
     $q,
   ) => {
 
-    const isUnauthenticated = Path.isUnauthenticated();
+    const isAnonymous = npSetup.core.http.anonymousPaths.isAnonymous(window.location.pathname);
 
     function interceptorFactory(responseHandler) {
       return function interceptor(response) {
-        if (!isUnauthenticated && !isSystemApiRequest(response.config)) {
-          npSetup.plugins.security.sessionTimeout.extend();
+        if (!isAnonymous && !isSystemApiRequest(response.config)) {
+          npSetup.plugins.security.sessionTimeout.extend(response.config.url);
         }
         return responseHandler(response);
       };