Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

60-minute default idle session timeout is waaaaaaay too short to be practical

Description

Summary: The 60-minute default value for idle-session timeout is too short to be practical, making normal operations such as data-import and bulk-edit impossible to perform because the UI times out in the middle of a job.

Expected behavior: Sessions last 7 days or longer.

Actual behavior: Sessions are terminated after 1 hour without activity.

CSP Request Details

This is a very small adjustment to a default configuration value in stripes, which effectively makes the Idle Session Timeout feature opt-in instead of opt-out. This change will mitigate risk of confusing and/or frustrating users who are logged out due to inactivity - something which would not have happened in prior releases. IOW, without this change, users will be faced with a potentially disruptive change in behavior which they may not expect.

CSP Rejection Details

None

Potential Workaround

Edit stripes.config.js to configure idleSessionTTL: https://folio-org.atlassian.net/wiki/spaces/DEV/pages/46858271/stripes.config.js+properties

Confluence content

mentioned on

Checklist

hide

Activity

Show:

Zak Burke 2 days ago

Respectfully, I disagree. I would support this stance if the 60m default had been carefully selected by the Security Group in consultation with POs/users to choose a good balance between security and functionality. But that is not what happened here. What happened is, I pulled 60m out of thin air and now we have a default value that is not functional. This ticket is not about loosening FOLIO’s security. It is about correcting a mistake.

Jens Heinrich 2 days ago

As this feature increases the security as a default the Security Group supports it and asks users requiring a lower security to update their configuration.
Using the secure value as default helps adaption of more secure settings.

Julian Ladisch March 6, 2025 at 3:19 PM

GBV want to keep the default of 1 hour for security reasons. GBV libraries make inventory bulk edits in the union catalog (not in FOLIO). GBV libraries don’t need a longer session timeout than 1 hour.

Won't Do

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Stripes Force

Release

Ramsons (R2 2024) Service Patch #1

RCA Group

TBD

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created March 4, 2025 at 9:57 PM
Updated 2 days ago
Resolved 4 days ago
Configure
TestRail: Cases
TestRail: Runs

Flag notifications