inactive session timeout

[SteveBeauchemin]

There is a new requirement that has been handed to me, and to all folks here that support applications and tools.
In the Nagios XI tool, after a period of user inactivity, I need to have sessions time out. I need the GUI to stop updating,
and have it return to an authentication screen. If the user wants to continue using Nagios XI they have to put in their credentials again.

At some point I also need 2 factor authentication. These can be 2 different things, unless the same solution does both.

This is a business requirement that all our application support people are being asked to provide for their tools.

Is there any way to do this today in Nagios XI? If not, is there anyone that has any idea how to make Apache / PHP / Nagios do something like this?

Any assistance is appreciated. I am willing to get creative.

Thanks

Steve B

[dwhitfield]

Currently, the issue with php session timeouts is that the AJAX calls reset the session.

The following is in the XI 5.5 roadmap: https://www.nagios.com/roadmaps/

Security improvements and updates

I can get some clarity on that if you like.

[SteveBeauchemin]

Yes Doctor... Please provide a little more information as this is going to be a concern for us in the future.

If the user stops interacting with the Nagios XI GUI for [some configurable setting] such as 25 minutes, can the system log them out and put them back on the login page.
That is basically what we are hoping for. Something like that.

Thanks
Steve B

[dwhitfield]

Unfortunately, the devs are not ready to make any public comment on what new security features will be in XI 5.5.

You could probably bake up some sort of two-factor auth into /usr/local/nagiosxi/html/loginsplash.inc.php with the caveat that it will be overwritten on upgrades.

I've been telling people to check back in December about XI 5.5, but of course we all hope it is out before then.