Add admin-configurable session timeout and security hardening#3536
Open
Rolling2405 wants to merge 4 commits intoDARIAEngineering:mainfrom
Open
Add admin-configurable session timeout and security hardening#3536Rolling2405 wants to merge 4 commits intoDARIAEngineering:mainfrom
Rolling2405 wants to merge 4 commits intoDARIAEngineering:mainfrom
Conversation
Session Timeout: - New Config key 'session_timeout' with options: 15, 30 (default), 60, 120, 180 minutes - Reduced default from 2 hours to 30 minutes (security best practice) - User model reads timeout dynamically from fund Config via timeout_in method - Full validation: only accepts approved timeout values Cookie Security: - Added httponly: true to session cookie (prevents JS access) - Added same_site: :lax (CSRF protection, allows normal navigation) - Existing secure: true in production already enforced Session Fixation Protection: - Role changes (admin/data_volunteer/cm) now force logout the affected user via session_validity_token invalidation (unless changing own role) - Uses existing Warden after_fetch hook that checks validity tokens Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Fix config enum value: session_timeout 27 -> 26 (next sequential after main's max of 25) - Add tenant guard in Config.session_timeout: returns default 30min when no tenant set (prevents error during Devise initialization before tenant is established) - Add comprehensive tests for session timeout: - Enum value correctness - Default behavior without tenant - Configured timeout retrieval - Fallback for invalid values - All valid options (15, 30, 60, 120, 180) - Validation of timeout values - Default constant value Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Test User#timeout_in returns configured session timeout - Test session store has httponly and same_site:lax attributes Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Rolling2405
added a commit
to Rolling2405/dcaf_case_management
that referenced
this pull request
Apr 12, 2026
Change days_to_keep_archived_patients enum value from 26 to 27 to avoid collision with session_timeout: 26 in PR DARIAEngineering#3536. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add tests for: - Controller integration: force_logout fires when admin changes user role - Cross-fund isolation: one fund's timeout config doesn't leak to another - User#timeout_in returns correct ActiveSupport::Duration object - Edge cases: missing config record, nil options fallback to default Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I rule and have completed some work on Case Manager that's ready for review!
This lets admins configure how long a user's session lasts before they are automatically signed out, improving security for funds that need stricter session controls.
This pull request makes the following changes:
session_timeout(enum value 26) so admins can choose a session durationTimeoutableconcern for session expiration checkingbefore_actiontenant-scoped timeout guard inApplicationControllerNotes:
#3536→#3550.For reviewer:
featureif it contains a feature, fix, or similar. This is anything that contains a user-facing fix in some way, such as frontend changes, alterations to backend behavior, or bug fixes.dependenciesif it contains library upgrades or similar. This is anything that upgrades any dependency, such as a Gemfile update or npm package upgrade.