mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
dacdce6c50
This timeout will prevent an attacker from using a session that has been inactive for too long. This inactivity timeout combined with the timeout before expiration makes a good combination of security mechanisms to prevent session theft. If no activity timeout is provided, then the feature is disabled and only session expiration remains as a protection.
24 lines
1.2 KiB
Gherkin
24 lines
1.2 KiB
Gherkin
@needs-inactivity-config
|
|
Feature: Session is closed after a certain amount of time
|
|
|
|
@need-authenticated-user-john
|
|
Scenario: An authenticated user is disconnected after a certain inactivity period
|
|
Given I have access to:
|
|
| url |
|
|
| https://public.test.local:8080/secret.html |
|
|
When I sleep for 6 seconds
|
|
And I visit "https://public.test.local:8080/secret.html"
|
|
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
|
|
|
@need-authenticated-user-john
|
|
Scenario: An authenticated user is disconnected after session expiration period
|
|
Given I have access to:
|
|
| url |
|
|
| https://public.test.local:8080/secret.html |
|
|
When I sleep for 4 seconds
|
|
And I visit "https://public.test.local:8080/secret.html"
|
|
And I sleep for 4 seconds
|
|
And I visit "https://public.test.local:8080/secret.html"
|
|
And I sleep for 4 seconds
|
|
And I visit "https://public.test.local:8080/secret.html"
|
|
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" |