Gerrit web auto-logout issue.

[hari]

Hi,

We are currently using Gerrit 2.13.5 version and our customers are getting logged out from webpage after 12 hours. It says "Session Expired"

Though I have set the "maxAge = 3d ",it still doesn't help. I tried 1w and even 1yr but nothing fruitful. 

Any pointers will be helpful. 

--------- gerrit.config -------------

[cache "web_sessions"]

        maxAge = 3d

[Matthew Webber]

We are currently using Gerrit 2.13.5 version and our customers are getting logged out from webpage after 12 hours. It says "Session Expired"

Though I have set the "maxAge = 3d ",it still doesn't help. I tried 1w and even 1yr but nothing fruitful. 

--------- gerrit.config -------------

[cache "web_sessions"]

        maxAge = 3d

I'm running Gerrit 2.14.3, and it's working for us. Out settings are:

[cache "web_sessions"]

maxAge = 5d

Did you restart Gerrit after making the change? gerrit.config is only read at startup, so changes there do not take effect until you restart.

Matthew

[Matthias Sohn]

On Wed, Oct 4, 2017 at 10:59 AM, hari <bhh...@gmail.com> wrote:

Hi,

We are currently using Gerrit 2.13.5 version and our customers are getting logged out from webpage after 12 hours. It says "Session Expired"

Though I have set the "maxAge = 3d ",it still doesn't help. I tried 1w and even 1yr but nothing fruitful. 

Any pointers will be helpful. 

maybe you need to increase the size of the cache "web_sessions" 

https://gerrit-documentation.storage.googleapis.com/Documentation/2.13.5/config-gerrit.html#cache_names

-Matthias

[hari]

yes, I indeed restarted Gerrit after changing the config. 

[Saša Živkov]

On Wed, Oct 4, 2017 at 10:59 AM, hari <bhh...@gmail.com> wrote:

Hi,

We are currently using Gerrit 2.13.5 version and our customers are getting logged out from webpage after 12 hours.

Is it exactly 12 hours for any web session? Or did you just see some of them expire after 12 hours?

 

It says "Session Expired"

We had a few cases where someone created excessive number of web_sessions from their automation scripts.

Eventually, the web_sessions cache was full and started dropping other users' sessions.

Users were seeing "Session Expired" at random times.

 

Though I have set the "maxAge = 3d ",it still doesn't help. I tried 1w and even 1yr but nothing fruitful. 

Any pointers will be helpful. 

--------- gerrit.config -------------

[cache "web_sessions"]

        maxAge = 3d

--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[hari]

Hi Zivkov,

It may not be exactly 12 hours. I haven't confirmed this. But what you suggested is interesting, when I ran query for show-caches, I see this

 Name                          |Entries              |  AvgGet |Hit Ratio|

                                |   Mem   Disk   Space|         |Mem  Disk|

--------------------------------+---------------------+---------+---------+

D web_sessions                  |  1024 309550 129.13m|         | 94%  46%|

so ideally disk utilized is only 46%. And my $site/cache folder size for web_session cache is as follows. 

315M    web_sessions.h2.db

4.0K    web_sessions.lock.db

68K     web_sessions.trace.db

How do you generally determine that web_cache is full?

On Thursday, October 5, 2017 at 8:06:44 PM UTC+5:30, zivkov wrote:

On Wed, Oct 4, 2017 at 10:59 AM, hari <bhh...@gmail.com> wrote:

Hi,

We are currently using Gerrit 2.13.5 version and our customers are getting logged out from webpage after 12 hours.

Is it exactly 12 hours for any web session? Or did you just see some of them expire after 12 hours?

 

It says "Session Expired"

We had a few cases where someone created excessive number of web_sessions from their automation scripts.

Eventually, the web_sessions cache was full and started dropping other users' sessions.

Users were seeing "Session Expired" at random times.

 

Though I have set the "maxAge = 3d ",it still doesn't help. I tried 1w and even 1yr but nothing fruitful. 

Any pointers will be helpful. 

--------- gerrit.config -------------

[cache "web_sessions"]

        maxAge = 3d

--
--
To unsubscribe, email repo-discuss...@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

[Saša Živkov]

On Thu, Oct 5, 2017 at 4:50 PM, hari <bhh...@gmail.com> wrote:

Hi Zivkov,

It may not be exactly 12 hours. I haven't confirmed this. But what you suggested is interesting, when I ran query for show-caches, I see this

 Name                          |Entries              |  AvgGet |Hit Ratio|

                                |   Mem   Disk   Space|         |Mem  Disk|

--------------------------------+---------------------+---------+---------+

D web_sessions                  |  1024 309550 129.13m|         | 94%  46%|

This means you have currently 1024 sessions in the "web_sessions" cache.

Since the default value for the cache.web_sessions.memoryLimit is exactly 1024 this means

that the cache is full and new sessions will kick out old ones before old ones expire.

Try increasing memory limit to a number larger than the number of your users. For example:

[cache "web_sessions"]

  memoryLimit = 8192

Restart Gerrit afterwards.

--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.

[jun...@ql.ventures]

We have the same issue now with Gerrit 2.15.3. I changed the config as recommended like

[cache "web_sessions"]

        maxAge = 1w

        memoryLimit = 1m

        diskLimit = 128m

Is there any other settings that I have to update to avoid this issue?

Thanks,

[Matthias Sohn]

On Sun, Sep 23, 2018 at 4:49 AM <jun...@ql.ventures> wrote:

We have the same issue now with Gerrit 2.15.3. I changed the config as recommended like

[cache "web_sessions"]

        maxAge = 1w

        memoryLimit = 1m

        diskLimit = 128m

Is there any other settings that I have to update to avoid this issue?

what's the output of show-caches [1] for this cache ?

https://gerrit-documentation.storage.googleapis.com/Documentation/2.15.3/cmd-show-caches.html

-Matthias

[jun...@ql.ventures]

Only a few people is using this server at the moment, so I don't think it's a cache issue.

The output of show-cache is:

D web_sessions                  |     1     21   9.68k|         | 23% 100%|

[jun...@ql.ventures]

I checked GerritAccount cookie and expires seems to be set correctly:

Created: Sunday, September 23, 2018 at 12:01:13 PM

Expires: Sunday, September 30, 2018 at 12:01:13 PM

And the cache also looks fine:

...

D oauth_tokens                  |     1      1   3.50k|         |100%     |

D web_sessions                  |     1      1   0.46k|         | 70%     |

But whenever I try to access after a few hours, I get 'Session Expired' error message.

[Matthew Webber]

This works for us in Gerrit 2.15.3:

[auth]
 type = OAUTH
 gitBasicAuthPolicy = HTTP
 cookieSecure = true
[cache]
 directory = cache

[cache "web_sessions"]
 maxAge = 5d

Do you still get the problem after deleting all cookies, clearing cache, and then testing again?

Matthew

[jun...@ql.ventures]

Yes I tried several times after clearing all cookies and caches.

cookieSecure was not set before, but even with that, the session was expired after 1 hour.

(Not sure cookieSecure would affect it or not)

The server is running behind a proxy (Google Cloud Identity-Aware-Proxy). Is there any possibility that this caused the issue?

The config is like

[httpd]

        listenUrl = proxy-https://*:8081/

[cache "web_sessions"]

        maxAge = 1w

        memoryLimit = 2048

[auth]

        type = OAUTH

        gitBasicAuthPolicy = HTTP

        cookieSecure = true

[plugin "gerrit-oauth-provider-google-oauth"]

        client-id = ....

        use-email-as-username = true

        fix-legacy-user-id = false

[jun...@ql.ventures]

I tried to get oauth token via /accounts/self/oauthtoken:

{

  "username": "j...",

  "resource_host": "gerrit.....",

  "access_token": "ya29....",

  "expires_at": "9223372036854775807",

  "type": "bearer"

}

AFAIK, Google access token has 1 hour lifetime, but 'expires_at' is set to max int64.

I couldn't find any code to set expiry and deal with refresh in gerrit-oauth-provider plugin.

So, this might be the reason why my session is expired after 1 hour?

[jun...@ql.ventures]

It looks like IAP causes this issue. It worked when I disabled IAP.

IAP session is valid only for one hour and it also seems to work when I tried 'refreshing'.

(https://cloud.google.com/iap/docs/special-urls-howto#refreshing_user_sessions)

Currently I'm using IAP in order to restrict access not just by domain, but also by a list of emails (via Google group).

If I need to add this refreshing script, what is the best way?

<iframe src="/_gcp_iap/session_refresher" style="width:0;height:0;border:0; border:none;"></iframe>

(https://cloud.google.com/iap/docs/sessions-howto)